deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into vsmandalika-devops4318240-28aug

Browse Source
This commit is contained in:
Daniel Simpson 2022-06-10 13:24:52 -07:00 committed by GitHub
commit baed1fa408
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
846 changed files with 14630 additions and 9752 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
.openpublishing.redirection.json
View File

@ -19496,14 +19496,14 @@
"redirect_document_id": false
},
{
"source_path": "windows/education/itadmins.yml",
"redirect_url": "/education/",
"redirect_document_id": true
"source_path": "education/itadmins.yml",
"redirect_url": "/education",
"redirect_document_id": false
},
{
"source_path": "windows/education/partners.yml",
"redirect_url": "/education/",
"redirect_document_id": true
"source_path": "education/partners.yml",
"redirect_url": "/education",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-compliance-toolkit-10.md",
@ -19511,9 +19511,49 @@
"redirect_document_id": false
},
{
"source_path": "windows/education/developers.yml",
"redirect_url": "/education/",
"redirect_document_id": true
"source_path": "windows-docs-pr/windows/client-management/mdm/remotering-csp.md",
"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/remotering-ddf-file.md",
"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
"redirect_document_id": false
},
{
"source_path": "education/developers.yml",
"redirect_url": "/education",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enterpriseappmanagement-csp.md",
"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/messaging-ddf.md",
"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/messaging-csp.md",
"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/policymanager-csp.md",
"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/proxy-csp.md",
"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/img-boot-sequence.md",
"redirect_url": "/windows/client-management/advanced-troubleshooting-boot-problems#boot-sequence",
"redirect_document_id": false
}
]
}

86
CONTRIBUTING.md
View File

@ -2,10 +2,11 @@
Thank you for your interest in the Windows IT professional documentation! We appreciate your feedback, edits, and additions to our docs.
This page covers the basic steps for editing our technical documentation.
For a more up-to-date and complete contribution guide, see the main [Microsoft Docs contributor guide overview](https://docs.microsoft.com/contribute/).
## Sign a CLA
All contributors who are ***not*** a Microsoft employee must [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before editing any Microsoft repositories.
All contributors who are ***not*** a Microsoft employee or vendor must [sign a Microsoft Contributor License Agreement (CLA)](https://cla.microsoft.com/) before editing any Microsoft repositories.
If you've already edited within Microsoft repositories in the past, congratulations!
You've already completed this step.
@ -14,92 +15,71 @@ You've already completed this step.
We've tried to make editing an existing, public file as simple as possible.
> **Note**<br>
>At this time, only the English (en-us) content is available for editing.
> At this time, only the English (en-us) content is available for editing. If you have suggestions for edits to localized content, file feedback on the article.
**To edit a topic**
### To edit a topic
1. Go to the page on docs.microsoft.com that you want to update, and then click **Edit**.
1. Go to the page on [docs.microsoft.com](https://docs.microsoft.com/) that you want to update.
![GitHub Web, showing the Edit link.](images/contribute-link.png)
> **Note**<br>
> If you're a Microsoft employee or vendor, before you edit the article, append `review.` to the beginning of the URL. This action lets you use the private repository, **windows-docs-pr**. For more information, see the [internal contributor guide](https://review.docs.microsoft.com/help/get-started/edit-article-in-github?branch=main).
2. Log into (or sign up for) a GitHub account.
1. Then select the **Pencil** icon.
You must have a GitHub account to get to the page that lets you edit a topic.
![Microsoft Docs Web, showing the Edit This Document link.](images/contribute-link.png)
3. Click the **Pencil** icon (in the red box) to edit the content.
If the pencil icon isn't present, the content might not be open to public contributions. Some pages are generated (for example, from inline documentation in code) and must be edited in the project they belong to. This isn't always the case and you might be able to find the documentation by searching the [Microsoft Docs Organization on GitHub](https://github.com/MicrosoftDocs).
![GitHub Web, showing the Pencil icon in the red box.](images/pencil-icon.png)
> **TIP**<br>
> View the page source in your browser, and look for the following metadata: `original_content_git_url`. This path always points to the source markdown file for the article.
4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
- **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring)
1. In GitHub, select the **Pencil** icon to edit the article. If the pencil icon is grayed out, you need to either sign in to your GitHub account or create a new account.
- **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/)
![GitHub Web, showing the Pencil icon.](images/pencil-icon.png)
5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct.
1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Microsoft Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation.
![GitHub Web, showing the Preview Changes tab.](images/preview-changes.png)
1. Make your suggested change, and then select **Preview changes** to make sure it looks correct.
6. When youre done editing the topic, scroll to the bottom of the page, and then click **Propose file change** to create a fork in your personal GitHub account.
![GitHub Web, showing the Preview changes tab.](images/preview-changes.png)
![GitHub Web, showing the Propose file change button.](images/propose-file-change.png)
1. When you're finished editing, scroll to the bottom of the page. In the **Propose changes** area, enter a title and optionally a description for your changes. The title will be the first line of the commit message. Briefly state _what_ you changed. Select **Propose changes** to commit your changes:
The **Comparing changes** screen appears to see what the changes are between your fork and the original content.
![GitHub Web, showing the Propose changes button.](images/propose-changes.png)
7. On the **Comparing changes** screen, youll see if there are any problems with the file youre checking in.
If there are no problems, youll see the message, **Able to merge**.
1. The **Comparing changes** screen appears to show what the changes are between your fork and the original content. On the **Comparing changes** screen, you'll see if there are any problems with the file you're checking. If there are no problems, you'll see the message **Able to merge**.
![GitHub Web, showing the Comparing changes screen.](images/compare-changes.png)
8. Click **Create pull request**.
Select **Create pull request**. Next, enter a title and description to give the approver the appropriate context about _why_ you're suggesting this change. Make sure that only your changed files are in this pull request; otherwise, you could overwrite changes from other people.
9. Enter a title and description to give the approver the appropriate context about whats in the request.
1. Select **Create pull request** again to actually submit the pull request.
10. Scroll to the bottom of the page, making sure that only your changed files are in this pull request. Otherwise, you could overwrite changes from other people.
11. Click **Create pull request** again to actually submit the pull request.
The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to one of the following places:
- [Windows 10](https://docs.microsoft.com/windows/windows-10)
- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy)
- [Surface](https://docs.microsoft.com/surface)
- [Surface Hub](https://docs.microsoft.com/surface-hub)
- [HoloLens](https://docs.microsoft.com/hololens)
The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to their respective article. This repository contains articles on some of the following topics:
- [Windows client documentation for IT Pros](https://docs.microsoft.com/windows/resources/)
- [Microsoft Store](https://docs.microsoft.com/microsoft-store)
- [Windows 10 for Education](https://docs.microsoft.com/education/windows)
- [Windows 10 for SMB](https://docs.microsoft.com/windows/smb)
- [Internet Explorer 11](https://docs.microsoft.com/internet-explorer)
- [Microsoft Desktop Optimization Pack](https://docs.microsoft.com/microsoft-desktop-optimization-pack)
- [Internet Explorer 11](https://docs.microsoft.com/internet-explorer/)
## Making more substantial changes
To make substantial changes to an existing article, add or change images, or contribute a new article, you will need to create a local clone of the content.
For info about creating a fork or clone, see the GitHub help topic, [Fork a Repo](https://help.github.com/articles/fork-a-repo/).
To make substantial changes to an existing article, add or change images, or contribute a new article, you'll need to create a local clone of the content.
For info about creating a fork or clone, see [Set up a local Git repository](https://docs.microsoft.com/contribute/get-started-setup-local). The GitHub docs topic, [Fork a Repo](https://docs.github.com/articles/fork-a-repo), is also insightful.
Fork the official repo into your personal GitHub account, and then clone the fork down to your local device. Work locally, then push your changes back into your fork. Then open a pull request back to the master branch of the official repo.
Fork the official repo into your personal GitHub account, and then clone the fork down to your local device. Work locally, then push your changes back into your fork. Finally, open a pull request back to the main branch of the official repo.
## Using issues to provide feedback on documentation
If you just want to provide feedback rather than directly modifying actual documentation pages, you can create an issue in the repository.
At the top of a topic page you'll see an **Issues** tab. Click the tab and then click the **New issue** button.
At the top of an article, you'll see a feedback icon. Select the icon to go to the **Feedback** section at the bottom of the article. Then select **This page** to file feedback for the current article.
Be sure to include the topic title and the URL for the page you're submitting the issue for, if that page is different from the page you launched the **New issue** dialog from.
In the new issue form, enter a brief title. In the body of the form, describe the concern, but don't modify the **Document Details** section. You can use markdown in this form. When you're ready, select **Submit new issue**.
## Resources
You can use your favorite text editor to edit Markdown. We recommend [Visual Studio Code](https://code.visualstudio.com/), a free lightweight open source editor from Microsoft.
You can learn the basics of Markdown in just a few minutes. To get started, check out [Mastering Markdown](https://guides.github.com/features/mastering-markdown/).
- You can use your favorite text editor to edit Markdown files. We recommend [Visual Studio Code](https://code.visualstudio.com/), a free lightweight open source editor from Microsoft.
- You can learn the basics of Markdown in just a few minutes. To get started, check out [Mastering Markdown](https://guides.github.com/features/mastering-markdown/).
- Microsoft Docs uses several custom Markdown extensions. To learn more, see the [Microsoft Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference).

29
browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
View File

@ -23,11 +23,11 @@ ms.date: 07/27/2017
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
You can turn on local control of Enterprise Mode so that your users can turn Enterprise Mode on from the **Tools** menu. Turning on this feature also adds the **Enterprise** browser profile to the **Emulation** tab of the F12 developer tools.
@ -53,16 +53,13 @@ Besides turning on this feature, you also have the option to provide a URL for E
Your **Value data** location can be any of the following types:
- **URL location (like, https://www.emieposturl.com/api/records or https://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.<p>**Important**<br>
The `https://www.emieposturl.com/api/records` example will only work if youve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you dont have the sample, you wont have the web API.
- **Local network location (like, https://<em>emieposturl</em>/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu.
- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you wont collect any logging data.
- **URL location**, for example: `https://www.emieposturl.com/api/records` or `https://localhost:13000`. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.
> [!Important]
> The `https://www.emieposturl.com/api/records` example will only work if you've downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) article. If you don't have the sample, you won't have the web API.
- **Local network location**, for example: `https://emieposturl/`. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu.
- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won't collect any logging data.
For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md).

2
browsers/internet-explorer/internet-explorer.yml
View File

@ -34,8 +34,6 @@ landingContent:
url: /lifecycle/faq/internet-explorer-microsoft-edge
- linkListType: download
links:
- text: Download IE11 with Windows 10
url: https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise
- text: Enterprise Mode Site List Manager (schema, v.2)
url: https://www.microsoft.com/download/details.aspx?id=49974
- text: Cumulative security updates for Internet Explorer 11

2
education/windows/test-windows10s-for-edu.md
View File

@ -111,7 +111,7 @@ Back up all your data before installing Windows 10 in S mode. Only personal file
Windows 10 in S mode doesn't support non-Azure Active Directory domain accounts. Before installing Windows 10 in S mode, you must have at least one of these administrator accounts:
- Local administrator
- Microsoft Account (MSA) administrator
- Microsoft account administrator
- Azure Active Directory administrator
> [!WARNING]

5
education/windows/windows-11-se-overview.md
View File

@ -52,6 +52,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run
|DRC INSIGHT Online Assessments |12.0.0.0 |Store |Data recognition Corporation|
|Duo from Cisco |2.25.0 |Win32 |Cisco|
|e-Speaking Voice and Speech recognition |4.4.0.8 |Win32 |e-speaking|
|eTests |4.0.25 |Win32 |CASAS|
|FortiClient |7.0.1.0083 |Win32 |Fortinet|
|Free NaturalReader |16.1.2 |Win32 |Natural Soft|
|GoGuardian |1.4.4 |Win32 |GoGuardian|
@ -73,7 +74,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run
|NextUp Talker |1.0.49 |Win32 |NextUp Technologies|
|NonVisual Desktop Access |2021.3.1 |Win32 |NV Access|
|NWEA Secure Testing Browser |5.4.300.0 |Win32 |NWEA|
|Pearson TestNav |1.10.2.0 |Win32 |Pearson|
|Pearson TestNav |1.10.2.0 |Store |Pearson|
|Questar Secure Browser |4.8.3.376 |Win32 |Questar|
|ReadAndWriteForWindows |12.0.60.0 |Win32 |Texthelp Ltd.|
|Remote Help |3.8.0.12 |Win32 |Microsoft|
@ -81,7 +82,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run
|Safe Exam Browser |3.3.2.413 |Win32 |Safe Exam Browser|
|Secure Browser |14.0.0 |Win32 |Cambium Development|
|Secure Browser |4.8.3.376 |Win32 |Questar, Inc|
|SensoCloud test |2021.11.15.0 |Win32|Senso.Cloud|
|Senso.Cloud |2021.11.15.0 |Win32|Senso.Cloud|
|SuperNova Magnifier & Screen Reader |21.02 |Win32 |Dolphin Computer Access|
|Zoom |5.9.1 (2581)|Win32 |Zoom|
|ZoomText Fusion |2022.2109.10|Win32 |Freedom Scientific|

BIN
images/compare-changes.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 31 KiB

After

Width:  |  Height:  |  Size: 98 KiB

BIN
images/contribute-link.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.1 KiB

After

Width:  |  Height:  |  Size: 6.8 KiB

BIN
images/pencil-icon.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 9.8 KiB

After

Width:  |  Height:  |  Size: 18 KiB

BIN
images/preview-changes.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 6.0 KiB

After

Width:  |  Height:  |  Size: 21 KiB

BIN
images/propose-changes.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
images/propose-file-change.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 20 KiB

3
smb/breadcrumb/toc.yml
View File

@ -1,10 +1,11 @@
items:
- name: Docs
tocHref: /
topicHref: /
items:
- name: Windows
tocHref: /windows
topicHref: https://docs.microsoft.com/windows/#pivot=it-pro
topicHref: /windows/resources/
items:
- name: SMB
tocHref: /windows/smb

2
smb/cloud-mode-business-setup.md
View File

@ -574,7 +574,7 @@ See [Add users to Office 365](/microsoft-365/admin/add-users/add-users) to learn
To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links:
- [Set up Office 365 for business](/microsoft-365/admin/setup)
- Common admin tasks in Office 365 including email and OneDrive in [Manage Office 365](/microsoft-365/admin/)
- More info about managing devices, apps, data, troubleshooting, and more in the [/mem/intune/](/mem/intune/)
- More info about managing devices, apps, data, troubleshooting, and more in the [Intune documentation](/mem/intune/)
- Learn more about Windows client in the [Windows client documentation for IT Pros](/windows/resources/).
- Info about distributing apps to your employees, managing apps, managing settings, and more in [Microsoft Store for Business](/microsoft-store/)

7
store-for-business/manage-private-store-settings.md
View File

@ -50,10 +50,11 @@ You can create collections of apps within your private store. Collections allow
You can add a collection to your private store from the private store, or from the details page for an app.
**From private store**
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click your private store.</br>
![Image showing private store name on MSfB store UI.](images/msfb-click-private-store.png)
![Image showing private store name on Microsoft Store for Business store UI.](images/msfb-click-private-store.png)
3. Click **Add a Collection**.</br>
![Image showing Add a Collection.](images/msfb-add-collection.png)
@ -65,6 +66,7 @@ You can add a collection to your private store from the private store, or from t
> New collections require at least one app, or they will not be created.
**From app details page**
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Products & services**.
3. Under **Apps & software**, choose an app you want to include in a new collection.
@ -84,12 +86,13 @@ If you've already added a Collection to your private store, you can easily add a
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click your private store.</br>
![Image showing private store name on MSfB store UI.](images/msfb-click-private-store.png)
![Image showing private store name on Microsoft Store for Business store UI.](images/msfb-click-private-store.png)
3. Click the ellipses next to the collection name, and click **Edit collection**.
4. Add or remove products from the collection, and then click **Done**.
You can also add an app to a collection from the app details page.
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Products & services**.
3. Under **Apps & software**, choose an app you want to include in a new collection.

2
store-for-business/working-with-line-of-business-apps.md
View File

@ -45,7 +45,7 @@ You'll need to set up:
- LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store.
The process and timing look like this:
![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for MSFB admin, LOB publisher, and Developer.](images/lob-workflow.png)
![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for Microsoft Store for Business admin, LOB publisher, and Developer.](images/lob-workflow.png)
## <a href="" id="add-lob-publisher"></a>Add an LOB publisher (Admin)
Admins need to invite developer or ISVs to become an LOB publisher.

2
windows/application-management/manage-windows-mixed-reality.md
View File

@ -31,7 +31,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
1. Download the FOD .cab file:
- [Windows 11, version 21H2](https://software-download.microsoft.com/download/sg/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd_64~~.cab)
- [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
- [Windows 10, version 2004](https://software-static.download.prss.microsoft.com/pr/download/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
- [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab)
- [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab)
- [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)

185
windows/client-management/advanced-troubleshooting-boot-problems.md
View File

@ -2,11 +2,11 @@
title: Advanced troubleshooting for Windows boot problems
description: Learn to troubleshoot when Windows can't boot. This article includes advanced troubleshooting techniques intended for use by support agents and IT professionals.
ms.prod: w10
ms.sitesec: library
author: aczechowski
ms.technology: windows
ms.localizationpriority: medium
ms.date: 06/02/2022
author: aczechowski
ms.author: aaroncz
ms.date: 11/16/2018
ms.reviewer:
manager: dougeby
ms.topic: troubleshooting
@ -15,16 +15,15 @@ ms.collection: highpri
# Advanced troubleshooting for Windows boot problems
<p class="alert is-flex is-primary"><span class="has-padding-left-medium has-padding-top-extra-small"><a class="button is-primary" href="https://vsa.services.microsoft.com/v1.0/?partnerId=7d74cf73-5217-4008-833f-87a1a278f2cb&flowId=DMC&initialQuery=boot" target='_blank'><b>Try our Virtual Agent</b></a></span><span class="has-padding-small"> - It can help you quickly identify and fix common Windows boot issues</span>
<p class="alert is-flex is-primary"><span class="has-padding-left-medium has-padding-top-extra-small"><a class="button is-primary" href="https://vsa.services.microsoft.com/v1.0/?partnerId=7d74cf73-5217-4008-833f-87a1a278f2cb&flowId=DMC&initialQuery=boot" target='_blank'><b>Try our Virtual Agent</b></a></span><span class="has-padding-small"> - It can help you quickly identify and fix common Windows boot issues.</span>
> [!NOTE]
> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/help/12415).
> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/windows/recovery-options-in-windows-31ce2444-7de3-818c-d626-e3b5a3024da5).
## Summary
There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck:
| Phase | Boot Process | BIOS | UEFI |
|-----------|----------------------|------------------------------------|-----------------------------------|
| 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware |
@ -32,31 +31,21 @@ There are several reasons why a Windows-based computer may have problems during
| 3 | Windows OS Loader | %SystemRoot%\system32\winload.exe | %SystemRoot%\system32\winload.efi |
| 4 | Windows NT OS Kernel | %SystemRoot%\system32\ntoskrnl.exe | |
**1. PreBoot**
1. **PreBoot**: The PC's firmware initiates a power-on self test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager.
The PCs firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager.
2. **Windows Boot Manager**: Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition.
**2. Windows Boot Manager**
3. **Windows operating system loader**: Essential drivers required to start the Windows kernel are loaded and the kernel starts to run.
Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition.
**3. Windows operating system loader**
Essential drivers required to start the Windows kernel are loaded and the kernel starts to run.
**4. Windows NT OS Kernel**
The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START.
4. **Windows NT OS Kernel**: The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START.
The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START.
Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement.
![thumbnail of boot sequence flowchart.](images/boot-sequence-thumb.png)<br>
[Click to enlarge](img-boot-sequence.md)<br>
<a name="boot-sequence"></a>
Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before you start troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. Select the thumbnail to view it larger.
:::image type="content" source="images/boot-sequence-thumb.png" alt-text="Diagram of the boot sequence flowchart." lightbox="images/boot-sequence.png":::
Each phase has a different approach to troubleshooting. This article provides troubleshooting techniques for problems that occur during the first three phases.
@ -69,7 +58,6 @@ Each phase has a different approach to troubleshooting. This article provides tr
>
> `Bcdedit /set {default} bootmenupolicy legacy`
## BIOS phase
To determine whether the system has passed the BIOS phase, follow these steps:
@ -93,19 +81,18 @@ If the screen is black except for a blinking cursor, or if you receive one of th
- Bootmgr missing or corrupted
- Unable to boot due to system hive missing or corrupted
To troubleshoot this problem, use Windows installation media to start the computer, press Shift+F10 for a command prompt, and then use any of the following methods.
To troubleshoot this problem, use Windows installation media to start the computer, press **Shift** + **F10** for a command prompt, and then use any of the following methods.
### Method 1: Startup Repair tool
The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically.
To do this task of invoking the Startup Repair tool, follow these steps.
To do this task of invoking the Startup Repair tool, follow these steps.
> [!NOTE]
> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre).
> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#entry-points-into-winre).
1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088).
1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/windows/create-installation-media-for-windows-99a58364-8c02-206f-aa6f-40c3b507420d).
2. On the **Install Windows** screen, select **Next** > **Repair your computer**.
@ -117,28 +104,26 @@ To do this task of invoking the Startup Repair tool, follow these steps.
The Startup Repair tool generates a log file to help you understand the startup problems and the repairs that were made. You can find the log file in the following location:
**%windir%\System32\LogFiles\Srt\Srttrail.txt**
For more information, see [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s)
`%windir%\System32\LogFiles\Srt\Srttrail.txt`
For more information, see [Troubleshoot blue screen errors](https://support.microsoft.com/sbs/windows/troubleshoot-blue-screen-errors-5c62726c-6489-52da-a372-3f73142c14ad).
### Method 2: Repair Boot Codes
To repair boot codes, run the following command:
```console
```command
BOOTREC /FIXMBR
```
To repair the boot sector, run the following command:
```console
```command
BOOTREC /FIXBOOT
```
> [!NOTE]
> Running **BOOTREC** together with **Fixmbr** overwrites only the master boot code. If the corruption in the MBR affects the partition table, running **Fixmbr** may not fix the problem.
> Running `BOOTREC` together with `Fixmbr` overwrites only the master boot code. If the corruption in the MBR affects the partition table, running `Fixmbr` may not fix the problem.
### Method 3: Fix BCD errors
@ -146,7 +131,7 @@ If you receive BCD-related errors, follow these steps:
1. Scan for all the systems that are installed. To do this step, run the following command:
```console
```command
Bootrec /ScanOS
```
@ -154,7 +139,7 @@ If you receive BCD-related errors, follow these steps:
3. If the problem isn't fixed, run the following commands:
```console
```command
bcdedit /export c:\bcdbackup
attrib c:\boot\bcd -r -s -h
@ -172,38 +157,38 @@ If methods 1, 2 and 3 don't fix the problem, replace the Bootmgr file from drive
1. At a command prompt, change the directory to the System Reserved partition.
2. Run the **attrib** command to unhide the file:
2. Run the `attrib` command to unhide the file:
```console
```command
attrib -r -s -h
```
3. Navigate to the system drive and run the same command:
```console
```command
attrib -r -s -h
```
4. Rename the Bootmgr file as Bootmgr.old:
4. Rename the `bootmgr` file as `bootmgr.old`:
```console
```command
ren c:\bootmgr bootmgr.old
```
5. Navigate to the system drive.
6. Copy the Bootmgr file, and then paste it to the System Reserved partition.
6. Copy the `bootmgr` file, and then paste it to the System Reserved partition.
7. Restart the computer.
### Method 5: Restore System Hive
### Method 5: Restore system hive
If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step,, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config.
If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step, use the Windows Recovery Environment or use the Emergency Repair Disk (ERD) to copy the files from the `C:\Windows\System32\config\RegBack` directory to `C:\Windows\System32\config`.
If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder)
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).
## Kernel Phase
@ -211,9 +196,7 @@ If the system gets stuck during the kernel phase, you experience multiple sympto
- A Stop error appears after the splash screen (Windows Logo screen).
- Specific error code is displayed.
For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.
- Specific error code is displayed. For example, `0x00000C2` , `0x0000007B` , or `inaccessible boot device`.
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
- [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
@ -223,53 +206,45 @@ If the system gets stuck during the kernel phase, you experience multiple sympto
To troubleshoot these problems, try the following recovery boot options one at a time.
**Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration**
### Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration
On the **Advanced Boot Options** screen, try to start the computer in **Safe Mode** or **Safe Mode with Networking**. If either of these options works, use Event Viewer to help identify and diagnose the cause of the boot problem. To view events that are recorded in the event logs, follow these steps:
1. Use one of the following methods to open Event Viewer:
- Click **Start**, point to **Administrative Tools**, and then click
**Event Viewer**.
- Go to the **Start** menu, select **Administrative Tools**, and then select **Event Viewer**.
- Start the Event Viewer snap-in in Microsoft Management Console (MMC).
2. In the console tree, expand Event Viewer, and then click the log that you
want to view. For example, click **System log** or **Application log**.
2. In the console tree, expand Event Viewer, and then select the log that you want to view. For example, choose **System log** or **Application log**.
3. In the details pane, double-click the event that you want to view.
3. In the details pane, open the event that you want to view.
4. On the **Edit** menu, click **Copy**, open a new document in the program in
which you want to paste the event (for example, Microsoft Word), and then
click **Paste**.
5. Use the Up Arrow or Down Arrow key to view the description of the previous
or next event.
4. On the **Edit** menu, select **Copy**. Open a new document in the program in which you want to paste the event. For example, Microsoft Word. Then select **Paste**.
5. Use the up arrow or down arrow key to view the description of the previous or next event.
### Clean boot
To troubleshoot problems that affect services, do a clean boot by using System Configuration (msconfig).
To troubleshoot problems that affect services, do a clean boot by using System Configuration (`msconfig`).
Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you can't find the cause, try including system services. However, in most cases, the problematic service is third-party.
Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**.
For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135/how-to-perform-a-clean-boot-in-windows).
For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd).
If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement:
[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64)
[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64)
> [!NOTE]
> If the computer is a domain controller, try Directory Services Restore mode (DSRM).
>
> This method is an important step if you encounter Stop error "0xC00002E1" or "0xC00002E2"
**Examples**
#### Examples
> [!WARNING]
> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these
problems can be solved. Modify the registry at your own risk.
> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft can't guarantee that these problems can be solved. Modify the registry at your own risk.
*Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)*
@ -279,21 +254,19 @@ To troubleshoot this Stop error, follow these steps to filter the drivers:
2. Open the registry.
3. Load the system hive, and name it as "test."
3. Load the system hive, and name it **test**.
4. Under the following registry subkey, check for lower filter and upper filter items for Non-Microsoft Drivers:
4. Under the following registry subkey, check for lower filter and upper filter items for non-Microsoft drivers:
**HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class**
`HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class`
5. For each third-party driver that you locate, click the upper or lower filter, and then delete the value data.
5. For each third-party driver that you locate, select the upper or lower filter, and then delete the value data.
6. Search through the whole registry for similar items. Process as an appropriate, and then unload the registry hive.
6. Search through the whole registry for similar items. Process as appropriate, and then unload the registry hive.
7. Restart the server in Normal mode.
For more troubleshooting steps, see the following articles:
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
For more troubleshooting steps, see [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md).
To fix problems that occur after you install Windows updates, check for pending updates by using these steps:
@ -301,16 +274,15 @@ To fix problems that occur after you install Windows updates, check for pending
2. Run the command:
```console
```command
DISM /image:C:\ /get-packages
```
3. If there are any pending updates, uninstall them by running the following commands:
```console
```command
DISM /image:C:\ /remove-package /packagename: name of the package
```
```console
DISM /Image:C:\ /Cleanup-Image /RevertPendingActions
```
@ -318,72 +290,67 @@ To fix problems that occur after you install Windows updates, check for pending
If the computer doesn't start, follow these steps:
1. Open A Command Prompt window in WinRE, and start a text editor, such as Notepad.
1. Open a command prompt window in WinRE, and start a text editor, such as Notepad.
2. Navigate to the system drive, and search for windows\winsxs\pending.xml.
2. Navigate to the system drive, and search for `windows\winsxs\pending.xml`.
3. If the Pending.xml file is found, rename the file as Pending.xml.old.
3. If the pending.xml file is found, rename the file as `pending.xml.old`.
4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as a test.
4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as test.
5. Highlight the loaded test hive, and then search for the **pendingxmlidentifier** value.
5. Highlight the loaded test hive, and then search for the `pendingxmlidentifier` value.
6. If the **pendingxmlidentifier** value exists, delete the value.
6. If the `pendingxmlidentifier` value exists, delete it.
7. Unload the test hive.
8. Load the system hive, name it as "test".
8. Load the system hive, name it **test**.
9. Navigate to the following subkey:
**HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\TrustedInstaller**
`HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrustedInstaller`
10. Change the **Start** value from **1** to **4**
10. Change the **Start** value from `1` to `4`.
11. Unload the hive.
12. Try to start the computer.
If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following articles:
If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For more information, see [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md).
- [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md)
For more information about page file problems in Windows 10 or Windows Server 2016, see [Introduction to page files](./introduction-page-file.md).
For more information about page file problems in Windows 10 or Windows Server 2016, see the following article:
- [Introduction to page files](./introduction-page-file.md)
For more information about Stop errors, see [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md).
For more information about Stop errors, see the following Knowledge Base article:
- [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md)
Sometimes the dump file shows an error that's related to a driver. For example, `windows\system32\drivers\stcvsm.sys` is missing or corrupted. In this instance, follow these guidelines:
If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines:
- Check the functionality that is provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does.
- Check the functionality that's provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does.
- If the driver isn't important and has no dependencies, load the system hive, and then disable the driver.
- If the stop error indicates system file corruption, run the system file checker in offline mode.
- To do this, open WinRE, open a command prompt, and then run the following command:
- To do this action, open WinRE, open a command prompt, and then run the following command:
```console
```command
SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows
```
For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues)
For more information, see [Using system file checker (SFC) to fix issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues).
- If there's disk corruption, run the check disk command:
```console
```command
chkdsk /f /r
```
- If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps:
1. Start WinRE, and open a Command Prompt window.
1. Start WinRE, and open a command prompt window.
2. Start a text editor, such as Notepad.
3. Navigate to C:\Windows\System32\Config\.
4. Rename the all five hives by appending ".old" to the name.
5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
3. Navigate to `C:\Windows\System32\Config\`.
4. Rename the all five hives by appending `.old` to the name.
5. Copy all the hives from the `Regback` folder, paste them in the `Config` folder, and then try to start the computer in Normal mode.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).

17
windows/client-management/img-boot-sequence.md
View File

@ -1,17 +0,0 @@
---
title: Boot sequence flowchart
description: View a full-sized view of the boot sequence flowchart. Use the link to return to the Advanced troubleshooting for Windows boot problems article.
ms.date: 11/16/2018
ms.reviewer:
manager: dansimp
ms.author: dansimp
author: dansimp
ms.topic: article
ms.prod: w10
---
# Boot sequence flowchart
Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)<br>
![Full-sized boot sequence flowchart.](images/boot-sequence.png)

94
windows/client-management/manage-windows-10-in-your-organization-modern-management.md
View File

@ -1,27 +1,23 @@
---
title: Manage Windows 10 in your organization - transitioning to modern management
description: This topic offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment.
keywords: ["MDM", "device management", "group policy", "Azure Active Directory"]
description: This article offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: dansimp
ms.localizationpriority: medium
ms.date: 04/26/2018
ms.date: 06/03/2022
author: aczechowski
ms.author: aaroncz
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
manager: dougeby
ms.topic: overview
---
# Manage Windows 10 in your organization - transitioning to modern management
Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization.
Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, its easy for versions to coexist.
Your organization might have considered bringing in Windows 10 devices and downgrading them to an earlier version of Windows until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it's easy for versions to coexist.
Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance.
@ -30,7 +26,7 @@ This six-minute video demonstrates how users can bring in a new retail device an
> [!NOTE]
> The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal)
This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
This article offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. It covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
- [Deployment and Provisioning](#deployment-and-provisioning)
@ -44,41 +40,43 @@ This topic offers guidance on strategies for deploying and managing Windows 10,
Windows 10 offers a range of management options, as shown in the following diagram:
<img src="images/windows-10-management-range-of-options.png" alt="The path to modern IT" width="766" height="654" />
:::image type="content" source="images/windows-10-management-range-of-options.png" alt-text="Diagram of the path to modern IT." lightbox="images/windows-10-management-range-of-options.png":::
As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and Microsoft Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
## Deployment and Provisioning
## Deployment and provisioning
With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully configured, fully managed devices, you can:
With Windows 10, you can continue to use traditional OS deployment, but you can also "manage out of the box." To transform new devices into fully configured, fully managed devices, you can:
- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/).
- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](/mem/intune/fundamentals/).
- Create self-contained provisioning packages built with the Windows Configuration Designer. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages).
- Create self-contained provisioning packages built with the [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-packages).
- Use traditional imaging techniques such as deploying custom images using [Configuration Manager](/mem/configmgr/core/understand/introduction).
- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](/configmgr/core/understand/introduction).
You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive - everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today.
You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
## Identity and authentication
## Identity and Authentication
You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
You can envision user and device management as falling into these two categories:
- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
- For corporate devices, they can set up corporate access with [Azure AD Join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.<br>Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
- For corporate devices, they can set up corporate access with [Azure AD join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
Azure AD join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
- Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises.
With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain thats [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides:
With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides:
- Single sign-on to cloud and on-premises resources from everywhere
- [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-overview)
- [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-enable)
- [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device
@ -86,55 +84,53 @@ You can envision user and device management as falling into these two categories
- Windows Hello
Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/configmgr/core/understand/introduction) client or Group Policy.
Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/mem/configmgr/core/understand/introduction) client or group policy.
For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](/azure/active-directory/devices/overview).
As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
![Decision tree for device authentication options.](images/windows-10-management-cyod-byod-flow.png)
:::image type="content" source="images/windows-10-management-cyod-byod-flow.png" alt-text="Diagram of decision tree for device authentication options." lightbox="images/windows-10-management-cyod-byod-flow.png":::
## Settings and Configuration
## Settings and configuration
Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. 
Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.
**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go.
**MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, group policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using group policy that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go.
**Group Policy** and **Microsoft Endpoint Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorers 1,500 configurable Group Policy settings. If so, Group Policy and Configuration Manager continue to be excellent management choices:
**Group policy** and **Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer's 1,500 configurable group policy settings. If so, group policy and Configuration Manager continue to be excellent management choices:
- Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows.
- Group policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add group policy settings with each new version of Windows.
- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment.
## Updating and servicing
## Updating and Servicing
With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple - often automatic - patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios).
With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple often automatic patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios).
MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
## Next steps
There are various steps you can take to begin the process of modernizing device management in your organization:
**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use the [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to help determine which Group Policies are set for a target user/computer and cross-reference them against the list of available MDM policies.
**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, reevaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use [Group policy analytics in Microsoft Endpoint Manager](/mem/intune/configuration/group-policy-analytics) to help determine which group policies supported by cloud-based MDM providers, including Microsoft Intune.
**Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs.
**Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario.
**Take incremental steps.** Moving towards modern device management doesnt have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here's the list of MDM policies with equivalent GP - [Policies supported by GP](./mdm/policy-configuration-service-provider.md)
**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policy-configuration-service-provider.md).
**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. For more information, see the following articles:
**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Configuration Manager 1710 onward, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details:
- [Co-management for Windows devices](/mem/configmgr/comanage/overview)
- [Prepare Windows devices for co-management](/mem/configmgr/comanage/how-to-prepare-Win10)
- [Switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads)
- [Co-management dashboard in Configuration Manager](/mem/configmgr/comanage/how-to-monitor)
- [Co-management for Windows 10 devices](/configmgr/core/clients/manage/co-management-overview)
- [Prepare Windows 10 devices for co-management](/configmgr/core/clients/manage/co-management-prepare)
- [Switch Configuration Manager workloads to Intune](/configmgr/core/clients/manage/co-management-switch-workloads)
- [Co-management dashboard in Configuration Manager](/configmgr/core/clients/manage/co-management-dashboard)
## Related topics
## Related articles
- [What is Intune?](/mem/intune/fundamentals/what-is-intune)
- [Windows 10 Policy CSP](./mdm/policy-configuration-service-provider.md)
- [Windows 10 Configuration service Providers](./mdm/configuration-service-provider-reference.md)
- [Windows 10 policy CSP](./mdm/policy-configuration-service-provider.md)
- [Windows 10 configuration service providers](./mdm/configuration-service-provider-reference.md)

1
windows/client-management/mdm/Language-pack-management-csp.md
View File

@ -19,6 +19,7 @@ The table below shows the applicability of Windows:
|--- |--- |--- |
|Home|No|No|
|Pro|No|Yes|
|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|

21
windows/client-management/mdm/accountmanagement-csp.md
View File

@ -13,7 +13,6 @@ manager: dansimp
# AccountManagement CSP
AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803.
> [!NOTE]
@ -41,7 +40,9 @@ Interior node.
<a href="" id="accountmanagement-userprofilemanagement-deletionpolicy"></a>**UserProfileManagement/EnableProfileManager**
Enable profile lifetime management for shared or communal device scenarios. Default value is false.
Supported operations are Add, Get, Replace, and Delete. Value type is bool.
Supported operations are Add, Get, Replace, and Delete.
Value type is bool.
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystartdeletion"></a>**UserProfileManagement/DeletionPolicy**
Configures when profiles will be deleted. Default value is 1.
@ -52,19 +53,29 @@ Valid values:
- 1 - delete at storage capacity threshold
- 2 - delete at both storage capacity threshold and profile inactivity threshold
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystopdeletion"></a>**UserProfileManagement/StorageCapacityStartDeletion**
Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first. Default value is 25.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystopdeletion"></a>**UserProfileManagement/StorageCapacityStopDeletion**
Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles. Default value is 50.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
<a href="" id="accountmanagement-userprofilemanagement-profileinactivitythreshold"></a>**UserProfileManagement/ProfileInactivityThreshold**
Start deleting profiles when they haven't been logged on during the specified period, given as number of days. Default value is 30.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

7
windows/client-management/mdm/accountmanagement-ddf.md
View File

@ -13,7 +13,6 @@ manager: dansimp
# AccountManagement DDF file
This topic shows the OMA DM device description framework (DDF) for the **AccountManagement** configuration service provider.
The XML below is for Windows 10, version 1803.
@ -74,7 +73,7 @@ The XML below is for Windows 10, version 1803.
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Enable profile lifetime mangement for shared or communal device scenarios.</Description>
<Description>Enable profile lifetime management for shared or communal device scenarios.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -198,3 +197,7 @@ The XML below is for Windows 10, version 1803.
</Node>
</MgmtTree>
```
## Related topics
[AccountManagement configuration service provider](accountmanagement-csp.md)

19
windows/client-management/mdm/accounts-csp.md
View File

@ -11,15 +11,24 @@ ms.reviewer:
manager: dansimp
---
# Accounts Configuration Service Provider
# Accounts CSP
The table below shows the applicability of Windows:
The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803, and later.
The following syntax shows the Accounts configuration service provider in tree format.
```
```console
./Device/Vendor/MSFT
Accounts
----Domain
@ -67,3 +76,7 @@ GET operation isn't supported. This setting will report as failed when deployed
This optional node specifies the local user group that a local user account should be joined to. If the node isn't set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.
Supported operation is Add.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

13
windows/client-management/mdm/accounts-ddf-file.md
View File

@ -1,6 +1,6 @@
---
title: Accounts DDF file
description: XML file containing the device description framework (DDF) for the Accounts configuration service provider.
description: View the XML file containing the device description framework (DDF) for the Accounts configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -11,12 +11,11 @@ ms.reviewer:
manager: dansimp
---
# Accounts CSP
# Accounts DDF file
This topic shows the OMA DM device description framework (DDF) for the **Accounts** configuration service provider.
The XML below is for Windows 10, version 1803.
The XML below is for Windows 10, version 1803 and later.
```xml
<?xml version="1.0" encoding="UTF-8"?>
@ -157,7 +156,7 @@ The XML below is for Windows 10, version 1803.
<Add />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.</Description>
<Description>This optional node specifies the local user group that a local user account should be joined. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.</Description>
<DFFormat>
<int />
</DFFormat>
@ -177,3 +176,7 @@ The XML below is for Windows 10, version 1803.
</Node>
</MgmtTree>
```
## Related topics
[Accounts configuration service provider](accounts-csp.md)

34
windows/client-management/mdm/activesync-csp.md
View File

@ -14,23 +14,31 @@ ms.date: 06/26/2017
# ActiveSync CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status.
Configuring Windows Live ActiveSync accounts through this configuration service provider isn't supported.
> [!NOTE]
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync path will work if the user is logged in. The CSP fails when no user is logged in.
The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term.
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path.
On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the `./Vendor/MSFT/ActiveSync` path will work if the user is logged in. The CSP fails when no user is logged in.
The `./Vendor/MSFT/ActiveSync path` is deprecated, but will continue to work in the short term.
The following example shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
```
```console
./Vendor/MSFT
ActiveSync
----Accounts
@ -66,13 +74,11 @@ ActiveSync
The root node for the ActiveSync configuration service provider.
> [!NOTE]
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in.
The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term.
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path.
On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in.
The `./Vendor/MSFT/ActiveSync` path is deprecated, but will continue to work in the short term.
The supported operation is Get.
@ -264,7 +270,6 @@ Required. A character string that specifies the name of the content type.
> [!NOTE]
> In Windows 10, this node is currently not working.
Supported operations are Get, Replace, and Add (can't Add after the account is created).
When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected.
@ -275,7 +280,9 @@ Node for mail body type and email age filter.
<a href="" id="policies-mailbodytype"></a>**Policies/MailBodyType**
Required. Specifies the email body type: HTML or plain.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
Value type is string.
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="policies-maxmailagefilter"></a>**Policies/MaxMailAgeFilter**
Required. Specifies the time window used for syncing mail items to the device.
@ -284,7 +291,6 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

12
windows/client-management/mdm/activesync-ddf-file.md
View File

@ -14,7 +14,6 @@ ms.date: 12/05/2017
# ActiveSync DDF file
This topic shows the OMA DM device description framework (DDF) for the **ActiveSync** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -679,15 +678,4 @@ The XML below is the current version for this CSP.
## Related topics
[ActiveSync configuration service provider](activesync-csp.md)
 
 

18
windows/client-management/mdm/alljoynmanagement-csp.md
View File

@ -14,21 +14,18 @@ ms.date: 06/26/2017
# AllJoynManagement CSP
The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (com.microsoft.alljoynmanagement.config). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration.
The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (`com.microsoft.alljoynmanagement.config`). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration.
> [!NOTE]
> The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core).
This CSP was added in Windows 10, version 1511.
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB)](https://wikipedia.org/wiki/AllJoyn). For more information, see [AllJoyn - Wikipedia](https://wikipedia.org/wiki/AllJoyn).
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB)](https://wikipedia.org/wiki/AllJoyn). For more information, see [AllJoyn - Wikipedia](https://wikipedia.org/wiki/AllJoyn).
The following example shows the AllJoynManagement configuration service provider in tree format
```
```console
./Vendor/MSFT
AllJoynManagement
----Configurations
@ -64,7 +61,7 @@ The following list describes the characteristics and parameters.
The root node for the AllJoynManagement configuration service provider.
<a href="" id="services"></a>**Services**
List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "com.microsoft.alljoynmanagement.config" are included.
List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "`com.microsoft.alljoynmanagement.config`" are included.
<a href="" id="services-node-name"></a>**Services/**<strong>*Node name*</strong>
The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects.
@ -81,7 +78,7 @@ The set of configurable interfaces that are available on the port of the AllJoyn
<a href="" id="services-node-name-port-node-name-cfgobject-node-name"></a>**Services/*Node name*/Port/*Node name*/CfgObject/**<strong>*Node name*</strong>
The remainder of this URI is an escaped path to the configurable AllJoyn object hosted by the parent ServiceID and accessible by the parent PortNum.
For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "\\FabrikamService\\BridgeConfig" would be specified in the URI as: %2FFabrikamService%2FBridgeConfig.
For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "`\\FabrikamService\\BridgeConfig`" would be specified in the URI as: `%2FFabrikamService%2FBridgeConfig`.
<a href="" id="credentials"></a>**Credentials**
This is the credential store. An administrator can set credentials for each AllJoyn device that requires authentication at this node.
@ -105,7 +102,6 @@ Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enable
## Examples
Set adapter configuration
```xml
@ -167,7 +163,9 @@ Get the firewall PrivateProfile
</SyncML>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

14
windows/client-management/mdm/alljoynmanagement-ddf.md
View File

@ -14,7 +14,6 @@ ms.date: 12/05/2017
# AllJoynManagement DDF
This topic shows the OMA DM device description framework (DDF) for the **AllJoynManagement** configuration service provider. This CSP was added in Windows 10, version 1511.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -238,7 +237,7 @@ It is typically implemented as a GUID.</Description>
<Get />
<Replace />
</AccessType>
<Description>An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard</Description>
<Description>An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -328,15 +327,4 @@ It is typically implemented as a GUID.</Description>
## Related topics
[AllJoynManagement configuration service provider](alljoynmanagement-csp.md)
 
 

32
windows/client-management/mdm/application-csp.md
View File

@ -1,5 +1,5 @@
---
title: APPLICATION configuration service provider
title: APPLICATION CSP
description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099
ms.reviewer:
@ -12,16 +12,28 @@ author: dansimp
ms.date: 06/26/2017
---
# APPLICATION configuration service provider
# APPLICATION CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider. The following list shows the supported transports.
OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider.
- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md)
The following list shows the supported transports:
- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md)
- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md).
- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md).
The APPID parameter differentiates these application transports. Each APPID must be registered with OMA, and any APPLICATION configuration service provider must be in the root of the provisioning document.
@ -29,15 +41,5 @@ For the device to decode correctly, provisioning XML that contains the APPLICATI
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

27
windows/client-management/mdm/applicationcontrol-csp-ddf.md
View File

@ -11,13 +11,10 @@ ms.date: 07/10/2019
# ApplicationControl CSP DDF
This topic shows the OMA DM device description framework (DDF) for the **ApplicationControl** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
### ApplicationControl CSP
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
@ -32,7 +29,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Root Node of the ApplicationControl CSP</Description>
<Description>Root Node of the ApplicationControl CSP.</Description>
<DFFormat>
<node />
</DFFormat>
@ -73,7 +70,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>The GUID of the Policy</Description>
<Description>The GUID of the Policy.</Description>
<DFFormat>
<node />
</DFFormat>
@ -97,7 +94,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<Delete />
<Replace />
</AccessType>
<Description>The policy binary encoded as base64</Description>
<Description>The policy binary encoded as base64.</Description>
<DFFormat>
<b64 />
</DFFormat>
@ -119,7 +116,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Information Describing the Policy indicated by the GUID</Description>
<Description>Information Describing the Policy indicated by the GUID.</Description>
<DFFormat>
<node />
</DFFormat>
@ -140,7 +137,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Version of the Policy indicated by the GUID, as a string. When parsing use a uint64 as the containing data type</Description>
<Description>Version of the Policy indicated by the GUID, as a string. When parsing, use a uint64 as the containing data type.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -162,7 +159,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect)</Description>
<Description>Whether the Policy indicated by the GUID is effective on the system (loaded by the enforcement engine and in effect).</Description>
<DFFormat>
<bool />
</DFFormat>
@ -184,7 +181,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is deployed on the system (on the physical machine)</Description>
<Description>Whether the Policy indicated by the GUID is deployed on the system (on the physical machine).</Description>
<DFFormat>
<bool />
</DFFormat>
@ -206,7 +203,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system </Description>
<Description>Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system. </Description>
<DFFormat>
<bool />
</DFFormat>
@ -228,7 +225,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>The Current Status of the Policy Indicated by the Policy GUID</Description>
<Description>The Current Status of the Policy Indicated by the Policy GUID.</Description>
<DFFormat>
<int />
</DFFormat>
@ -250,7 +247,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>The FriendlyName of the Policy Indicated by the Policy GUID</Description>
<Description>The FriendlyName of the Policy Indicated by the Policy GUID.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -272,3 +269,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
</Node>
</MgmtTree>
```
## Related topics
[ApplicationControl configuration service provider](applicationcontrol-csp.md)

39
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -13,12 +13,24 @@ ms.date: 09/10/2020
# ApplicationControl CSP
Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and hence doesn't schedule a reboot.
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
The following example shows the ApplicationControl CSP in tree format.
```
```console
./Vendor/MSFT
ApplicationControl
----Policies
@ -43,6 +55,7 @@ ApplicationControl
----TenantID
----DeviceID
```
<a href="" id="vendor-msft-applicationcontrol"></a>**./Vendor/MSFT/ApplicationControl**
Defines the root node for the ApplicationControl CSP.
@ -73,7 +86,7 @@ An interior node that contains the nodes that describe the policy indicated by t
Scope is dynamic. Supported operation is Get.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-version"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version**
This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing use a uint64 as the containing data type.
This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing uses a uint64 as the containing data type.
Scope is dynamic. Supported operation is Get.
@ -113,7 +126,7 @@ The following table provides the result of this policy based on different values
|IsAuthorized | IsDeployed | IsEffective | Resultant |
|------------ | ---------- | ----------- | --------- |
|True|True|True|Policy is currently running and in effect.|
|True|True|True|Policy is currently running and is in effect.|
|True|True|False|Policy requires a reboot to take effect.|
|True|False|True|Policy requires a reboot to unload from CI.|
|False|True|True|Not Reachable.|
@ -122,14 +135,14 @@ The following table provides the result of this policy based on different values
|False|False|True|Not Reachable.|
|False|False|False|*Not Reachable.|
\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail.
\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the `END_COMMAND_PROCESSING` will result in a fail.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-status"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status**
This node specifies whether the deployment of the policy indicated by the GUID was successful.
Scope is dynamic. Supported operation is Get.
Value type is integer. Default value is 0 == OK.
Value type is integer. Default value is 0 = OK.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-friendlyname"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName**
This node provides the friendly name of the policy indicated by the policy GUID.
@ -140,15 +153,15 @@ Value type is char.
## Microsoft Endpoint Manager (MEM) Intune Usage Guidance
For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
For customers using Intune standalone or hybrid management with Microsoft Endpoint Manager Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
## Generic MDM Server Usage Guidance
In order to use the ApplicationControl CSP without using Intune, you must:
1. Know a generated policy's GUID, which can be found in the policy xml as `<PolicyID>` or `<PolicyTypeID>` for pre-1903 systems.
2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command-line tool.
2. Convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the `certutil -encode` command-line tool.
Below is a sample certutil invocation:
@ -293,8 +306,8 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Mi
### Setup for using the WMI Bridge
1. Convert your WDAC policy to Base64
2. Open PowerShell in Local System context (through PSExec or something similar)
1. Convert your WDAC policy to Base64.
2. Open PowerShell in Local System context (through PSExec or something similar).
3. Use WMI Interface:
```powershell
@ -316,3 +329,7 @@ New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{Pa
```powershell
Get-CimInstance -Namespace $namespace -ClassName $policyClassName
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

35
windows/client-management/mdm/applocker-csp.md
View File

@ -14,6 +14,16 @@ ms.date: 11/19/2019
# AppLocker CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There's no user interface shown for apps that are blocked.
@ -74,13 +84,11 @@ Defines restrictions for applications.
> [!NOTE]
> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
>
> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there's no requirement on the exact value of the node.
> [!NOTE]
> The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
Additional information:
> The AppLocker CSP will schedule a reboot when a policy is applied or when a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
<a href="" id="applocker-applicationlaunchrestrictions-grouping"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_**
Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define.
@ -206,22 +214,25 @@ Data type is Base64.
Supported operations are Get, Add, Delete, and Replace.
> [!NOTE]
> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP.
> To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP.
<a href="" id="applocker-enterprisedataprotection"></a>**AppLocker/EnterpriseDataProtection**
Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
Captures the list of apps that are allowed to handle enterprise data. Should be used with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications aren't protected. This is because some critical enterprise applications may have compatibility problems with encrypted data.
You can set the allowed list using the following URI:
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps/Policy
You can set the exempt list using the following URI. The _Grouping_ string must contain the keyword "EdpExempt" anywhere to help distinguish the exempt list from the allowed list. The "EdpExempt" keyword is also evaluated in a case-insensitive manner:
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/EXE/Policy
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/StoreApps/Policy
Exempt examples:
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/ContosoEdpExempt/EXE/Policy
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/xxxxxEdpExemptxxxxx/EXE/Policy
@ -279,7 +290,7 @@ The following table shows the mapping of information to the AppLocker publisher
|Device portal data|AppLocker publisher rule field|
|--- |--- |
|PackageFullName|ProductName<br><br> The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.|
|PackageFullName|ProductName: The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.|
|Publisher|Publisher|
|Version|Version<br> <br>The version can be used either in the HighSection or LowSection of the BinaryVersionRange.<br> <br>HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.|
@ -293,11 +304,11 @@ Here's an example AppLocker publisher rule:
You can get the publisher name and product name of apps using a web API.
**To find publisher and product name for Microsoft apps in Microsoft Store for Business**
**To find publisher and product name for Microsoft apps in Microsoft Store for Business:**
1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is [https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl](https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl), and you'd copy the ID value: **9wzdncrfhvjl**.
3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values.
@ -359,17 +370,13 @@ The product name is first part of the PackageFullName followed by the version nu
| SettingsPagePhoneNfc | b0894dfd-4671-4bb9-bc17-a8b39947ffb6\_1.0.0.0\_neutral\_\_1prqnbg33c1tj | b0894dfd-4671-4bb9-bc17-a8b39947ffb6 |
## <a href="" id="inboxappsandcomponents"></a>Inbox apps and components
The following list shows the apps that may be included in the inbox.
> [!NOTE]
> This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience.
|App|Product ID|Product name|
|--- |--- |--- |
|3D Viewer|f41647c9-d567-4378-b2ab-7924e5a152f3|Microsoft.Microsoft3DViewer (Added in Windows 10, version 1703)|
@ -1277,6 +1284,7 @@ The following example for Windows 10 Holographic for Business denies all apps an
```
## Recommended blocklist for Windows Information Protection
The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
In this example, Contoso is the node name. We recommend using a GUID for this node.
@ -1460,5 +1468,4 @@ In this example, Contoso is the node name. We recommend using a GUID for this no
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

12
windows/client-management/mdm/applocker-ddf-file.md
View File

@ -14,7 +14,6 @@ ms.date: 12/05/2017
# AppLocker DDF file
This topic shows the OMA DM device description framework (DDF) for the **AppLocker** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -672,15 +671,4 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
## Related topics
[AppLocker configuration service provider](applocker-csp.md)
 
 

28
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -13,7 +13,18 @@ ms.date: 05/03/2022
# AssignedAccess CSP
The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user sign in that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
@ -23,14 +34,14 @@ In Windows 10, version 1709, the AssignedAccess configuration service provider (
> You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
> [!Note]
> If the application calls KeyCredentialManager.IsSupportedAsync when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select a appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
> If the application calls `KeyCredentialManager.IsSupportedAsync` when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select an appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
> [!Note]
> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709, it is supported in Windows 10 Pro and Windows 10 S. Starting from Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
The following example shows the AssignedAccess configuration service provider in tree format
```
```console
./Vendor/MSFT
AssignedAccess
----KioskModeApp
@ -44,14 +55,14 @@ AssignedAccess
Root node for the CSP.
<a href="" id="assignedaccess-kioskmodeapp"></a>**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp**
A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app).
A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app).
For more information, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
> [!Note]
> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
> In Windows 10, version 1803, the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
>
> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even its not effective.
> Starting in Windows 10, version 1803, the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even its not effective.
> [!Note]
> You can't set both KioskModeApp and ShellLauncher at the same time on the device.
@ -453,7 +464,7 @@ The schema below is for AssignedAccess Configuration up to Windows 10 20H2 relea
</xs:schema>);
```
Here's the schema for new features introduced in Windows 10 1809 release
Here's the schema for new features introduced in Windows 10 1809 release:
```xml
<?xml version="1.0" encoding="utf-8"?>
@ -500,6 +511,7 @@ Here's the schema for new features introduced in Windows 10 1809 release
```
Schema for Windows 10 prerelease
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
@ -675,7 +687,7 @@ XML encoding (escaped) and CDATA of the XML in the Data node will both ensure th
Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, youll have nested CDATA, so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA.
Escape and CDATA are mechanisms when handling xml in xml. Consider its a transportation channel to send the configuration xml as payload from server to client. Its transparent to both, the end user who configures the CSP and to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML.
Escape and CDATA are mechanisms used when handling xml in xml. Consider that its a transportation channel to send the configuration xml as payload from server to client. Its transparent to both, the end user who configures the CSP and to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML.
This example shows escaped XML of the Data node.

18
windows/client-management/mdm/assignedaccess-ddf.md
View File

@ -1,6 +1,6 @@
---
title: AssignedAccess DDF
description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider.
description: Learn about the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider.
ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306
ms.reviewer:
manager: dansimp
@ -14,7 +14,6 @@ ms.date: 02/22/2018
# AssignedAccess DDF
This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
@ -22,7 +21,8 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is for Windows 10, version 1909.
The XML below is for Windows 10, version 1803 and later.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
@ -118,7 +118,7 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
<AccessType>
<Get />
</AccessType>
<Description>This read only node contains kiosk health event in xml</Description>
<Description>This read only node contains kiosk health event in xml.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -196,14 +196,4 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
## Related topics
[AssignedAccess configuration service provider](assignedaccess-csp.md)
 
 

25
windows/client-management/mdm/bitlocker-csp.md
View File

@ -76,6 +76,7 @@ Allows the administrator to require encryption that needs to be turned on by usi
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -136,6 +137,7 @@ Allows you to set the default encryption method for each of the different drive
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -209,6 +211,7 @@ Allows you to associate unique organizational identifiers to a new drive that is
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -266,6 +269,7 @@ Allows users on devices that are compliant with InstantGo or the Microsoft Hardw
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -305,6 +309,7 @@ Allows users to configure whether or not enhanced startup PINs are used with Bit
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -347,6 +352,7 @@ Allows you to configure whether standard users are allowed to change BitLocker P
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -389,6 +395,7 @@ Allows users to enable authentication options that require user input from the p
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -438,6 +445,7 @@ Allows you to configure the encryption type that is used by BitLocker.
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -485,6 +493,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Require addition
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -582,6 +591,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure minimu
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -648,6 +658,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure pre-bo
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -724,6 +735,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -812,6 +824,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -903,6 +916,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -960,6 +974,7 @@ Allows you to configure the encryption type on fixed data drives that is used by
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -1007,6 +1022,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -1073,6 +1089,7 @@ Allows you to configure the encryption type that is used by BitLocker.
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -1114,6 +1131,7 @@ Allows you to control the use of BitLocker on removable data drives.
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -1170,6 +1188,7 @@ Allows the admin to disable the warning prompt for other disk encryption on the
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -1224,6 +1243,7 @@ If "AllowWarningForOtherDiskEncryption" isn't set, or is set to "1", "RequireDev
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -1268,6 +1288,7 @@ This setting initiates a client-driven recovery password refresh after an OS dri
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -1315,6 +1336,7 @@ Each server-side recovery key rotation is represented by a request ID. The serve
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -1353,6 +1375,7 @@ This node reports compliance state of device encryption on the system.
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -1413,6 +1436,7 @@ Status code can be one of the following values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -1439,6 +1463,7 @@ This node needs to be queried in synchronization with RotateRecoveryPasswordsSta
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

4
windows/client-management/mdm/bitlocker-ddf-file.md
View File

@ -937,3 +937,7 @@ Supported Values: String form of request ID. Example format of request ID is GUI
</Node>
</MgmtTree>
```
## Related topics
[BitLocker configuration service provider](bitlocker-csp.md)

13
windows/client-management/mdm/cellularsettings-csp.md
View File

@ -14,10 +14,21 @@ ms.date: 06/26/2017
# CellularSettings CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The CellularSettings configuration service provider is used to configure cellular settings on a mobile device.
> [!Note]
> Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
> Starting in Windows 10, version 1703, the CellularSettings CSP is supported in Windows 10 and Windows 11 Home, Pro, Enterprise, and Education editions.
The following example shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol isn't supported with this configuration service provider.

24
windows/client-management/mdm/certificatestore-csp.md
View File

@ -14,6 +14,17 @@ ms.date: 02/28/2020
# CertificateStore CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates.
> [!Note]
@ -24,7 +35,7 @@ For the CertificateStore CSP, you can't use the Replace command unless the node
The following example shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
```
```console
./Vendor/MSFT
CertificateStore
----ROOT
@ -259,7 +270,7 @@ Optional. OID of certificate template name.
Supported operations are Get, Add, and Delete.
<a href="" id="my-scep-uniqueid-install-keylength"></a>**My/SCEP/*UniqueID*/Install/KeyLength**
Required for enrollment. Specify private key length (RSA). Value type is an integer. Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified.
Required for enrollment. Specifies private key length (RSA). Value type is an integer. Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified.
Supported operations are Get, Add, Delete, and Replace.
@ -343,7 +354,7 @@ Required. Returns the URL of the SCEP server that responded to the enrollment re
Supported operation is Get.
<a href="" id="my-wstep"></a>**My/WSTEP**
Required for MDM enrolled device. The parent node that hosts the MDM enrollment client certificate related settings that are enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node.
Required for MDM enrolled device. Specifies the parent node that hosts the MDM enrollment client certificate related settings that are enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node.
Supported operation is Get.
@ -358,8 +369,6 @@ Optional. Specifies the URL of certificate renewal server. If this node doesn't
> [!NOTE]
> The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="my-wstep-renew-renewalperiod"></a>**My/WSTEP/Renew/RenewalPeriod**
@ -414,7 +423,7 @@ Optional. If certificate renewal fails, this integer value indicates the HRESULT
Supported operation is Get.
<a href="" id="my-wstep-renew-lastrenewalattempttime"></a>**My/WSTEP/Renew/LastRenewalAttemptTime**
Added in Windows 10, version 1607. Time of the last attempted renewal.
Added in Windows 10, version 1607. Specifies the time of the last attempted renewal.
Supported operation is Get.
@ -424,7 +433,7 @@ Added in Windows 10, version 1607. Initiates a renewal now.
Supported operation is Execute.
<a href="" id="my-wstep-renew-retryafterexpiryinterval"></a>**My/WSTEP/Renew/RetryAfterExpiryInterval**
Added in Windows 10, version 1703. How long after the enrollment certificate has expired before trying to renew.
Added in Windows 10, version 1703. Specifies how long after the enrollment certificate has expired before trying to renew.
Supported operations are Add, Get, and Replace.
@ -698,7 +707,6 @@ Configure the device to automatically renew an MDM client certificate with the s
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

26
windows/client-management/mdm/certificatestore-ddf-file.md
View File

@ -14,7 +14,6 @@ ms.date: 12/05/2017
# CertificateStore DDF file
This topic shows the OMA DM device description framework (DDF) for the **CertificateStore** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -458,7 +457,7 @@ The XML below is the current version for this CSP.
<Get />
<Replace />
</AccessType>
<Description>The base64 Encoded X.509 certificate. Note that though during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node, properly enroll a client certificate including private needs a cert enroll protocol handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key.</Description>
<Description>The base64 Encoded X.509 certificate. Note that during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node and properly enroll a client certificate including private needs a cert enroll protocol to handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key.</Description>
<DFFormat>
<b64 />
</DFFormat>
@ -585,7 +584,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Get />
</AccessType>
<Description>This store holds the SCEP portion of the MY store and handle operations related to SCEP certificate enrollment.</Description>
<Description>This store holds the SCEP portion of the MY store and handles operations related to SCEP certificate enrollment.</Description>
<DFFormat>
<node />
</DFFormat>
@ -627,7 +626,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Get />
</AccessType>
<Description>The group to represent the install request</Description>
<Description>The group to represent the install request.</Description>
<DFFormat>
<node />
</DFFormat>
@ -1241,7 +1240,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Get />
</AccessType>
<Description>If certificate renew fails, this node provide the last hresult code during renew process.</Description>
<Description>If certificate renew fails, this node provides the last hresult code during renew process.</Description>
<DFFormat>
<int />
</DFFormat>
@ -1262,7 +1261,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Get />
</AccessType>
<Description>Time of last attempted renew</Description>
<Description>Time of last attempted renew.</Description>
<DFFormat>
<time />
</DFFormat>
@ -1283,7 +1282,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Exec />
</AccessType>
<Description>Initiate a renew now</Description>
<Description>Initiate a renew now.</Description>
<DFFormat>
<null />
</DFFormat>
@ -1305,7 +1304,7 @@ The XML below is the current version for this CSP.
<Get />
<Set />
</AccessType>
<Description>How long after the enrollment cert has expiried to keep trying to renew</Description>
<Description>How long after the enrollment cert has expired to keep trying to renew.</Description>
<DFFormat>
<null />
</DFFormat>
@ -1372,7 +1371,7 @@ The XML below is the current version for this CSP.
<Get />
<Replace />
</AccessType>
<Description>The base64 Encoded X.509 certificate</Description>
<Description>The base64 Encoded X.509 certificate.</Description>
<DFFormat>
<b64 />
</DFFormat>
@ -1667,11 +1666,6 @@ The XML below is the current version for this CSP.
</MgmtTree>
```
 
 
## Related topics
[CertificateStore configuration service provider](certificatestore-csp.md)

8
windows/client-management/mdm/change-history-for-mdm-documentation.md
View File

@ -1,13 +1,13 @@
---
title: Change history for MDM documentation
description: This article lists new and updated articles for Mobile Device Management.
author: aczechowski
ms.author: aaroncz
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: dougeby
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 10/19/2020
---
@ -174,7 +174,6 @@ This article lists new and updated articles for the Mobile Device Management (MD
|New or updated article | Description|
|--- | ---|
|[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).|
|[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.|
## August 2018
@ -227,7 +226,6 @@ This article lists new and updated articles for the Mobile Device Management (MD
|[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)|Added the following node in Windows 10, version 1803:<li>Settings/AllowVirtualGPU<li>Settings/SaveFilesToHost|
|[NetworkProxy CSP](networkproxy-csp.md)|Added the following node in Windows 10, version 1803:<li>ProxySettingsPerUser|
|[Accounts CSP](accounts-csp.md)|Added a new CSP in Windows 10, version 1803.|
|[MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat)|Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.|
|[CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)|Added the DDF download of Windows 10, version 1803 configuration service providers.|
|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Bluetooth/AllowPromptedProximalConnections<li>KioskBrowser/EnableEndSessionButton<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers|

11
windows/client-management/mdm/cleanpc-csp.md
View File

@ -13,6 +13,17 @@ manager: dansimp
# CleanPC CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703.
The following shows the CleanPC configuration service provider in tree format.

16
windows/client-management/mdm/cleanpc-ddf.md
View File

@ -34,7 +34,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Get />
</AccessType>
<Description>Allow removal of user installed and pre-installed applications, with option to persist user data</Description>
<Description>Allow removal of user installed and pre-installed applications, with option to persist user data.</Description>
<DFFormat>
<node />
</DFFormat>
@ -54,7 +54,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Exec />
</AccessType>
<Description>CleanPC operation without any retention of User data</Description>
<Description>CleanPC operation without any retention of User data.</Description>
<DFFormat>
<int />
</DFFormat>
@ -75,7 +75,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Exec />
</AccessType>
<Description>CleanPC operation with retention of User data</Description>
<Description>CleanPC operation with retention of User data.</Description>
<DFFormat>
<int />
</DFFormat>
@ -94,12 +94,6 @@ The XML below is the current version for this CSP.
</MgmtTree>
```
 
 
## Related topics
[CleanPC configuration service provider](cleanpc-csp.md)

23
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -1,6 +1,6 @@
---
title: ClientCertificateInstall CSP
description: The ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates.
description: Learn how the ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates.
ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7
ms.reviewer:
manager: dansimp
@ -14,18 +14,29 @@ ms.date: 07/30/2021
# ClientCertificateInstall CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|---|---|---|
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request.
For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure that enrollment execution isn't triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
> [!Note]
> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store, both certificates are sent to the device in the same MDM payload and the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
The following example shows the ClientCertificateInstall configuration service provider in tree format.
```
```console
./Vendor/MSFT
ClientCertificateInstall
----PFXCertInstall
@ -99,7 +110,7 @@ The data type is an integer corresponding to one of the following values:
| 1 | Install to TPM if present, fail if not present. |
| 2 | Install to TPM if present. If not present, fall back to software. |
| 3 | Install to software. |
| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified |
| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified. |
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node isn't specified when Windows Hello for Business KSP is chosen, enrollment will fail.
@ -119,7 +130,7 @@ If a blob already exists, the Add operation will fail. If Replace is called on t
If Add is called on this node for a new PFX, the certificate will be added. When a certificate doesn't exist, Replace operation on this node will fail.
In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in <a href="/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)" data-raw-source="[CRYPT\_INTEGER\_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85))">CRYPT_INTEGER_BLOB</a>.
In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)).
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpassword"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**
Password that protects the PFX blob. This is required if the PFX is password protected.
@ -608,7 +619,7 @@ Enroll a client certificate through SCEP.
</SyncML>
```
Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate fro "My" store.
Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate from "My" store.
```xml
<SyncML>

53
windows/client-management/mdm/clientcertificateinstall-ddf-file.md
View File

@ -107,7 +107,7 @@ Calling Delete on the this node, should delete the certificates and the keys tha
<Get />
<Replace />
</AccessType>
<Description>Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to. Supported operations are Get, Add
<Description>Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation. Supported operations are Get, Add.
Datatype will be int
1- Install to TPM, fail if not present
2 Install to TPM if present, if not present fallback to Software
@ -138,8 +138,8 @@ Calling Delete on the this node, should delete the certificates and the keys tha
</AccessType>
<Description>Optional.
Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
Format is chr
Supported operations are Get, Add, Delete and Replace
Format is chr.
Supported operations are Get, Add, Delete and Replace.
</Description>
<DFFormat>
<chr />
@ -165,8 +165,8 @@ Supported operations are Get, Add, Delete and Replace
</AccessType>
<Description>Required.
CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation.
Format is Binary64
Supported operations are Get, Add, Replace
Format is Binary64.
Supported operations are Get, Add, Replace.
If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten.
If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail.
In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate
@ -197,7 +197,7 @@ CRYPT_DATA_BLOB on MSDN can be found at https://msdn.microsoft.com/library/windo
<Description>
Required if PFX is password protected.
Password that protects the PFX blob.
Format is chr. Supported operations are Add, Get
Format is chr. Supported operations are Add, Get.
</Description>
<DFFormat>
<chr />
@ -228,7 +228,7 @@ If the value is
1- Password is encrypted using the MDM certificate by the MDM server
2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.
The datatype for this node is int.
Supported operations are Add, Replace
Supported operations are Add, Replace.
</Description>
<DFFormat>
<int />
@ -254,7 +254,7 @@ Supported operations are Add, Replace
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>Optional. Used to specify if the private key installed is exportable (can be exported later). The datatype for this node is bool.
Supported operations are Add, Get
Supported operations are Add, Get.
</Description>
<DFFormat>
<bool />
@ -299,7 +299,7 @@ Supported operations are Add, Get
<Get />
</AccessType>
<Description>Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. Datatype is int.
Support operations are Get
Support operations are Get.
</Description>
<DFFormat>
<int />
@ -374,7 +374,7 @@ Support operation are Add, Get and Replace.
</AccessType>
<Description>Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
Format is node.
Supported operations are Get, Add, Delete
Supported operations are Get, Add, Delete.
Calling Delete on the this node, should delete the corresponding SCEP certificate</Description>
<DFFormat>
<node />
@ -401,7 +401,7 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat
</AccessType>
<Description>Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. Format is node. Supported operation is Add, Delete.
NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values.</Description>
NOTE: Though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values.</Description>
<DFFormat>
<node />
</DFFormat>
@ -570,7 +570,7 @@ SCEP enrolled cert doesnt support TPM PIN protection. Supported values:
Format is int.
Supported operations are Get, Add, Delete, Replace
Supported operations are Get, Add, Delete, Replace.
</Description>
<DFFormat>
@ -604,7 +604,7 @@ The min value is 1.
Format is int.
Supported operations are Get, Add, Delete noreplace</Description>
Supported operations are Get, Add, Delete noreplace.</Description>
<DFFormat>
<int />
</DFFormat>
@ -654,7 +654,7 @@ The min value is 0 which means no retry. Supported operations are Get, Add, Dele
<Get />
<Replace />
</AccessType>
<Description>Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesnt need to provide it. Format is chr. Supported operations are Get, Add, Delete.noreplace</Description>
<Description>Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesnt need to provide it. Format is chr. Supported operations are Get, Add, Delete.noreplace.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -819,7 +819,7 @@ NOTE: The device only sends the MDM server expected certificate validation perio
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
<Description>Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note that the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
Format is int.
@ -852,9 +852,9 @@ NOTE: The device only sends the MDM server expected certificate validation perio
<Description>Optional.
Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
Format is chr
Format is chr.
Supported operations are Get, Add, Delete and Replace</Description>
Supported operations are Get, Add, Delete and Replace.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -880,9 +880,9 @@ Supported operations are Get, Add, Delete and Replace</Description>
</AccessType>
<Description>Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this.
Format is chr
Format is chr.
Supported operations are Get, Add, Delete and Replace</Description>
Supported operations are Get, Add, Delete and Replace.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1029,9 +1029,9 @@ Supported operation is Get.</Description>
</AccessType>
<Description>Required. Returns the URL of the SCEP server that responded to the enrollment request.
Format is String
Format is String.
Supported operation is Get</Description>
Supported operation is Get.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1054,15 +1054,4 @@ Supported operation is Get</Description>
## Related topics
[ClientCertificateInstall configuration service provider](clientcertificateinstall-csp.md)
 
 

29
windows/client-management/mdm/cm-cellularentries-csp.md
View File

@ -14,6 +14,17 @@ ms.date: 08/02/2017
# CM\_CellularEntries CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The CM\_CellularEntries configuration service provider is used to configure the General Packet Radio Service (GPRS) entries on the device. It defines each GSM data access point.
This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application.
@ -76,13 +87,13 @@ Optional. Type: String. Specifies the type of connection used for the APN. The f
|Cdma|Used for CDMA type connections (1XRTT + EVDO).|
|Lte|Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.|
|Legacy|Used for GPRS + GSM + EDGE + UMTS connections.|
|Lte_iwlan|Used for GPRS type connections that may be offloaded over WiFi|
|Iwlan|Used for connections that are implemented over WiFi offload only|
|Lte_iwlan|Used for GPRS type connections that may be offloaded over WiFi.|
|Iwlan|Used for connections that are implemented over WiFi offload only.|
<a href="" id="desc-langid"></a>**Desc.langid**
Optional. Specifies the UI display string used by the defined language ID.
A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as <code>Desc.0409</code> with a value of <code>"GPRS Connection"</code> will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no <strong>Desc</strong> parameter is provisioned for a given language, the system will default to the name used to create the entry.
A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as `Desc.0409` with a value of `"GPRS Connection"` will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no **Desc** parameter is provisioned for a given language, the system will default to the name used to create the entry.
<a href="" id="enabled"></a>**Enabled**
Specifies if the connection is enabled.
@ -131,7 +142,7 @@ Optional. Type: Int. This parameter specifies the roaming conditions under which
- 5 - Roaming only.
<a href="" id="oemconnectionid"></a>**OEMConnectionID**
Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
Optional. Type: GUID. Specifies a GUID that is used to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
<a href="" id="apnid"></a>**ApnId**
Optional. Type: Int. Specifies the purpose of the APN. If a value isn't specified, the default value is "0" (none). This parameter is only used on LTE devices.
@ -271,17 +282,7 @@ The following table shows the Microsoft custom elements that this configuration
|Characteristic-query|Yes|
|Parm-query|Yes|
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

18
windows/client-management/mdm/cmpolicy-csp.md
View File

@ -14,13 +14,22 @@ ms.date: 06/26/2017
# CMPolicy CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The CMPolicy configuration service provider defines rules that the Connection Manager uses to identify the correct connection for a connection request.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicy configuration service provider can have multiple policies
**Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
@ -134,7 +143,6 @@ Specifies the type of connection being referenced. The following list describes
## OMA client provisioning examples
Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
```xml
@ -180,7 +188,9 @@ Adding an application-based mapping policy. In this example, the ConnectionId fo
</wap-provisioningdoc>
```
Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
Adding a host-based mapping policy:
In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
```xml
<wap-provisioningdoc>
@ -364,7 +374,6 @@ Adding a host-based mapping policy:
## Microsoft Custom Elements
|Element|Available|
|--- |--- |
|parm-query|Yes|
@ -373,7 +382,6 @@ Adding a host-based mapping policy:
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

24
windows/client-management/mdm/cmpolicyenterprise-csp.md
View File

@ -14,6 +14,17 @@ ms.date: 06/26/2017
# CMPolicyEnterprise CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|No|
|Business|No|No|
|Enterprise|No|No|
|Education|No|No|
The CMPolicyEnterprise configuration service provider is used by the enterprise to define rules that the Connection Manager uses to identify the correct connection for a connection request.
> [!NOTE]
@ -21,9 +32,12 @@ The CMPolicyEnterprise configuration service provider is used by the enterprise
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies
**Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phones default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
**Default Policies**: Policies are applied in the order of their scope with the most specific policies considered before the more general policies. The phones default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
The following shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
@ -72,7 +86,8 @@ Specifies whether the list of connections is in preference order.
A value of "0" specifies that the connections aren't listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
<a href="" id="connxxx"></a>**Conn**<strong>*XXX*</strong>
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits that increment starting from "000". For example, a policy applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three-digits, which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
<a href="" id="connectionid"></a>**ConnectionID**
Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter.
@ -91,7 +106,6 @@ For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. Th
|Wi-Fi hotspot|{072FC7DC-1D93-40D1-9BB0-2114D7D73434}|
For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
|Network type|GUID|
@ -133,7 +147,6 @@ Specifies the type of connection being referenced. The following list describes
## OMA client provisioning examples
Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
```xml
@ -227,7 +240,6 @@ Adding a host-based mapping policy. In this example, the ConnectionId for type C
## OMA DM examples
Adding an application-based mapping policy:
```xml
@ -364,7 +376,6 @@ Adding a host-based mapping policy:
## Microsoft Custom Elements
|Element|Available|
|--- |--- |
|parm-query|Yes|
@ -373,7 +384,6 @@ Adding a host-based mapping policy:
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

61
windows/client-management/mdm/config-lock.md
View File

@ -1,83 +1,81 @@
---
title: Secured-Core Configuration Lock
description: A Secured-Core PC (SCPC) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration.
title: Secured-core configuration lock
description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration.
manager: dansimp
keywords: mdm,management,administrator,config lock
ms.author: v-lsaldanha
ms.topic: article
ms.prod: w11
ms.technology: windows
author: lovina-saldanha
ms.date: 03/14/2022
ms.date: 05/24/2022
---
# Secured-Core PC Configuration Lock
# Secured-core PC configuration lock
**Applies to**
- Windows 11
- Windows 11
In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with Config Lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
Secured-Core Configuration Lock (Config Lock) is a new [Secured-Core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from Secured-Core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC.
Secured-core configuration lock (config lock) is a new [secured-core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC.
To summarize, Config Lock:
To summarize, config lock:
- Enables IT to “lock” Secured-Core PC features when managed through MDM
- Enables IT to "lock" secured-core PC features when managed through MDM
- Detects drift remediates within seconds
- DOES NOT prevent malicious attacks
- Doesn't prevent malicious attacks
## Configuration Flow
After a Secured-Core PC reaches the desktop, Config Lock will prevent configuration drift by detecting if the device is a Secured-Core PC or not. When the device isn't a Secured-Core PC, the lock won't apply. If the device is a Secured-Core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
After a secured-core PC reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
## System Requirements
Config Lock will be available for all Windows Professional and Enterprise Editions running on [Secured-Core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).
Config lock will be available for all Windows Professional and Enterprise Editions running on [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).
## Enabling Config Lock using Microsoft Intune
## Enabling config lock using Microsoft Intune
Config Lock isn't enabled by default (or turned on by the OS during boot). Rather, an IT Admin must intentionally turn it on.
Config lock isn't enabled by default, or turned on by the OS during boot. Rather, you need to turn it on.
The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
The steps to turn on config lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
1. Ensure that the device to turn on Config Lock is enrolled in Microsoft Intune.
1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune.
1. From the Microsoft Intune portal main page, select **Devices** > **Configuration Profiles** > **Create a profile**.
1. Select the following and press **Create**:
- **Platform**: Windows 10 and later
- **Profile type**: Templates
- **Template name**: Custom
:::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates":::
:::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates.":::
1. Name your profile.
1. When you reach the Configuration Settings step, select “Add” and add the following information:
1. When you reach the Configuration Settings step, select "Add" and add the following information:
- **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
- **Data type**: Integer
- **Value**: 1 </br>
To turn off Config Lock, change the value to 0.
To turn off config lock, change the value to 0.
:::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of Config Lock, a Description of Turn on Config Lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1":::
:::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of config lock, a Description of Turn on config lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1.":::
1. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”.
1. Select the devices to turn on config lock. If you're using a test tenant, you can select "+ Add all devices".
1. You'll not need to set any applicability rules for test purposes.
1. Review the Configuration and select “Create” if everything is correct.
1. After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled.
1. Review the Configuration and select "Create" if everything is correct.
1. After the device syncs with the Microsoft Intune server, you can confirm if the config lock was successfully enabled.
:::image type="content" source="images/configlock-mem-dev.png" alt-text="The Profile assignment status dashboard when viewing the Config Lock device configuration profile, showing one device has succeeded in having this profile applied":::
:::image type="content" source="images/configlock-mem-dev.png" alt-text="The Profile assignment status dashboard when viewing the config lock device configuration profile, showing one device has succeeded in having this profile applied.":::
:::image type="content" source="images/configlock-mem-devstatus.png" alt-text="The Device Status for the Config Lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending":::
:::image type="content" source="images/configlock-mem-devstatus.png" alt-text="The Device Status for the config lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending.":::
## Configuring Secured-Core PC features
## Configuring secured-core PC features
Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured. IT Admins retain the ability to change (enable/disable) SCPC features (for example Firmware protection) via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune.
Config lock is designed to ensure that a secured-core PC isn't unintentionally misconfigured. You keep the ability to enable or disable SCPC features, for example, firmware protection. You can make these changes with group policies or MDM services like Microsoft Intune.
:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off":::
:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off.":::
## FAQ
**Can an IT admins disable Config Lock ?** </br>
Yes. IT admins can use MDM to turn off Config Lock.</br>
- Can I disable config lock? Yes. You can use MDM to turn off config lock completely or put it in temporary unlock mode for helpdesk activities.
### List of locked policies
@ -88,7 +86,6 @@ Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally m
|[WindowsDefenderApplicationGuard](windowsdefenderapplicationguard-csp.md) |
|[ApplicationControl](applicationcontrol-csp.md)
|**MDM policies** | **Supported by Group Policy** |
|-----|-----|
|[DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md) | No |

86
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -438,18 +438,6 @@ Additional lists:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
|No|No|No|No|No|
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md)
@ -544,18 +532,6 @@ Additional lists:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[Messaging CSP](messaging-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
|No|No|No|No|No|
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[MultiSIM CSP](multisim-csp.md)
@ -640,18 +616,6 @@ Additional lists:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[Proxy CSP](proxy-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
|Yes|Yes|Yes|Yes|Yes|
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[PXLogical CSP](pxlogical-csp.md)
@ -700,18 +664,6 @@ Additional lists:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[PolicyManager CSP](policymanager-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
|No|No|No|No|No|
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[Provisioning CSP](provisioning-csp.md)
@ -748,18 +700,6 @@ Additional lists:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[RemoteRing CSP](remotering-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
|No|No|No|No|No|
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[RemoteWipe CSP](remotewipe-csp.md)
@ -857,18 +797,15 @@ Additional lists:
<!--EndCSP-->
<!--StartCSP-->
[SurfaceHub](surfacehub-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
||||||
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[TenantLockdown CSP](tenantlockdown-csp.md)
<!--StartSKU-->
@ -953,18 +890,16 @@ Additional lists:
<!--EndCSP-->
<!--StartCSP-->
[W4 Application CSP](w4-application-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
||||||
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[WiFi CSP](wifi-csp.md)
<!--StartSKU-->
@ -1019,7 +954,7 @@ Additional lists:
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
|No|Yes|Yes|Yes|Yes|
|No|No|No|Yes|Yes|
<!--EndSKU-->
<!--EndCSP-->
@ -1049,18 +984,15 @@ Additional lists:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[w7 Application CSP](w7-application-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
||||||
<!--EndSKU-->
<!--EndCSP-->
<hr/>
<!--EndCSPs-->
@ -1078,7 +1010,6 @@ You can download the DDF files for various CSPs from the links below:
## <a href="" id="hololens"></a>CSPs supported in HoloLens devices
The following list shows the CSPs supported in HoloLens devices:
| Configuration service provider | HoloLens (1st gen) Development Edition | HoloLens (1st gen) Commercial Suite | HoloLens 2 |
@ -1163,7 +1094,6 @@ The following list shows the CSPs supported in HoloLens devices:
- [DiagnosticLog CSP](diagnosticlog-csp.md)
- [DMAcc CSP](dmacc-csp.md)
- [DMClient CSP](dmclient-csp.md)
- [EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md)
- [HealthAttestation CSP](healthattestation-csp.md)
- [NetworkProxy CSP](networkproxy-csp.md)
- [Policy CSP](policy-configuration-service-provider.md)

1
windows/client-management/mdm/customdeviceui-csp.md
View File

@ -42,7 +42,6 @@ Package Full Name of the application that needs to be launched in the background
## SyncML examples
**Set StartupAppID**
```xml

49
windows/client-management/mdm/defender-csp.md
View File

@ -15,6 +15,15 @@ ms.date: 02/22/2022
# Defender CSP
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@ -355,7 +364,7 @@ Network Protection inspects DNS traffic that occurs over a UDP channel, to provi
<a href="" id="enablenetworkprotection-disablehttpparsing"></a>**EnableNetworkProtection/DisableHttpParsing**
Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@ -365,7 +374,7 @@ Network Protection inspects HTTP traffic to see if a connection is being made to
<a href="" id="enablenetworkprotection-disablerdpparsing"></a>**EnableNetworkProtection/DisableRdpParsing**
Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@ -375,7 +384,7 @@ Network Protection inspects RDP traffic so that it can block connections from kn
<a href="" id="enablenetworkprotection-disablesshparsing"></a>**EnableNetworkProtection/DisableSshParsing**
Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@ -385,7 +394,7 @@ Network Protection inspects SSH traffic, so that it can block connections from k
<a href="" id="enablenetworkprotection-disabletlsparsing"></a>**EnableNetworkProtection/DisableTlsParsing**
Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@ -594,11 +603,13 @@ An interior node to group Windows Defender configuration information.
Supported operation is Get.
<a href="" id="configuration-tamperprotection"></a>**Configuration/TamperProtection**
Tamper protection helps protect important security features from unwanted changes and interference. This protection includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions.
Send off blob to device to reset the tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune.
The data type is a Signed blob.
The data type is a Signed BLOB.
Supported operations are Add, Delete, Get, Replace.
@ -610,7 +621,7 @@ Intune tamper protection setting UX supports three states:
When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
<a href="" id="configuration-disablelocaladminmerge"></a>**Configuration/DisableLocalAdminMerge**<br>
This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions.
This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusion list.
If you disable or don't configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, management settings will override preference settings.
@ -630,6 +641,7 @@ Valid values are:
- 0 (default) Disable.
<a href="" id="configuration-hideexclusionsfromlocaladmins"></a>**Configuration/HideExclusionsFromLocalAdmins**<br>
This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled.
If you disable or don't configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell.
@ -643,18 +655,19 @@ Supported OS versions: Windows 10
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 Enable.
- 0 (default) Disable.
<a href="" id="configuration-disablecputhrottleonidlescans"></a>**Configuration/DisableCpuThrottleOnIdleScans**<br>
Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag will have no impact and normal throttling will occur.
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 (default) Enable.
@ -665,7 +678,7 @@ Allow managed devices to update through metered connections. Data charges may ap
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 Enable.
@ -676,7 +689,7 @@ This settings controls whether Network Protection is allowed to be configured in
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 Enable.
@ -687,7 +700,7 @@ Allows an administrator to explicitly disable network packet inspection made by
The data type is string.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
<a href="" id="configuration-enablefilehashcomputation"></a>**Configuration/EnableFileHashComputation**
Enables or disables file hash computation feature.
@ -695,7 +708,7 @@ When this feature is enabled, Windows Defender will compute hashes for files it
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 Enable.
@ -706,7 +719,7 @@ The support log location setting allows the administrator to specify where the M
Data type is string.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Intune Support log location setting UX supports three states:
@ -714,7 +727,7 @@ Intune Support log location setting UX supports three states:
- 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path.
- 0 - Disabled. Turns off the Support log location feature.
When enabled or disabled exists on the client and admin moves the setting to be configured not , it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
More details:
@ -738,7 +751,7 @@ If you disable or don't configure this policy, the device will stay up to date a
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 0: Not configured (Default)
@ -771,7 +784,7 @@ If you disable or don't configure this policy, the device will stay up to date a
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 0: Not configured (Default)
@ -796,7 +809,7 @@ Current Channel (Broad): Devices will be offered updates only after the gradual
If you disable or don't configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid Values are:
- 0: Not configured (Default)
@ -819,7 +832,7 @@ If you disable or don't configure this policy, the device will remain in Current
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 Enabled.

10
windows/client-management/mdm/devdetail-csp.md
View File

@ -14,6 +14,16 @@ ms.date: 03/27/2020
# DevDetail CSP
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DevDetail configuration service provider handles the management object that provides device-specific parameters to the OMA DM server. These device parameters can be queried by servers using OMA DM commands. They aren't sent from the client to the server automatically.
> [!NOTE]

2
windows/client-management/mdm/device-update-management.md
View File

@ -861,7 +861,7 @@ Here's the list of corresponding Group Policy settings in HKLM\\Software\\Polici
|DeferFeatureUpdates|REG_DWORD|1: defer feature updates<br><br>Other value or absent: dont defer feature updates|
|DeferFeatureUpdatesPeriodInDays|REG_DWORD|0-180: days to defer feature updates|
|PauseFeatureUpdates|REG_DWORD|1: pause feature updates<br><br>Other value or absent: dont pause feature updates|
|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude WU drivers<br><br>Other value or absent: offer WU drivers|
|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude Windows Update drivers<br><br>Other value or absent: offer Windows Update drivers|
Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices.

1
windows/client-management/mdm/devicemanageability-csp.md
View File

@ -20,6 +20,7 @@ The table below shows the applicability of Windows:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

1
windows/client-management/mdm/devicestatus-csp.md
View File

@ -20,6 +20,7 @@ The table below shows the applicability of Windows:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

1
windows/client-management/mdm/devinfo-csp.md
View File

@ -20,6 +20,7 @@ The table below shows the applicability of Windows:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

1
windows/client-management/mdm/diagnosticlog-csp.md
View File

@ -20,6 +20,7 @@ The table below shows the applicability of Windows:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

1
windows/client-management/mdm/dmacc-csp.md
View File

@ -20,6 +20,7 @@ The table below shows the applicability of Windows:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

136
windows/client-management/mdm/dmclient-csp.md
View File

@ -20,6 +20,7 @@ The table below shows the applicability of Windows:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -50,6 +51,8 @@ DMClient
------------Unenroll
------------AADResourceID
------------AADDeviceID
------------AADSendDeviceToken
------------ForceAadToken
------------EnrollmentType
------------EnableOmaDmKeepAliveMessage
------------HWDevID
@ -72,6 +75,21 @@ DMClient
----------------NumberOfRemainingScheduledRetries
----------------PollOnLogin
----------------AllUsersPollOnFirstLogin
------------LinkedEnrollment
----------------Priority
----------------Enroll
----------------Unenroll
----------------EnrollStatus
----------------LastError
------------Recovery
----------------AllowRecovery
----------------RecoveryStatus
----------------InitiateRecovery
------------MultipleSession
----------------NumAllowedConcurrentUserSessionForBackgroundSync
----------------NumAllowedConcurrentUserSessionAtUserLogonSync
----------------IntervalForScheduledRetriesForUserSession
----------------NumberOfScheduledRetriesForUserSession
----Unenroll
----UpdateManagementServiceAddress
```
@ -325,6 +343,11 @@ Supported operations are Add, Delete, Get, and Replace.
Value type is bool.
<a href="" id="provider-providerid-forceaadtoken"></a>**Provider/*ProviderID*/ForceAadToken**
The value type is integer/enum.
The value is "1" and it means client should always send AAD device token during check-in/sync.
<a href="" id="provider-providerid-poll"></a>**Provider/*ProviderID*/Poll**
Optional. Polling schedules must use the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
@ -443,6 +466,117 @@ Optional. Boolean value that allows the IT admin to require the device to start
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-linkedenrollment-priority"></a>**Provider/*ProviderID*/LinkedEnrollment/Priority**
This node is an integer, value is "0" or "1".
Default is 1, meaning the MDM enrollment is the “winning” authority for conflicting policies/resources. Value 1 means MMP-C enrollment is the “winning” one.
Support operations are Get and Set.
<a href="" id="provider-providerid-linkedenrollment-enroll"></a>**Provider/*ProviderID*/LinkedEnrollment/Enroll**
This is an execution node and will trigger a silent MMP-C enrollment, using the AAD device token pulled from the AADJed device. There is no user interaction needed.
Support operation is Exec.
<a href="" id="provider-providerid-linkedenrollment-unenroll"></a>**Provider/*ProviderID*/LinkedEnrollment/Unenroll**
This is an execution node and will trigger a silent MMP-C unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by MMPC will be rolled back(rollback details will be covered later).
Support operation is Exec.
<a href="" id="provider-providerid-linkedenrollment-enrollstatus"></a>**Provider/*ProviderID*/LinkedEnrollment/EnrollStatus**
This node can be used to check both enroll and unenroll statuses.
This will return the enroll action status and is defined as a enum class LinkedEnrollmentStatus. The values are aas follows:
- Undefined = 0
- EnrollmentNotStarted = 1
- InProgress = 2
- Failed = 3
- Succeeded = 4
- UnEnrollmentQueued = 5
- UnEnrollmentSucceeded = 8
Support operation is Get only.
<a href="" id="provider-providerid-linkedenrollment-lasterror"></a>**Provider/*ProviderID*/LinkedEnrollment/LastError**
This specifies the Hresult to report the enrollment/unenroll results.
<a href="" id="provider-providerid-recovery-allowrecovery"></a>**Provider/*ProviderID*/Recovery/AllowRecovery**
This node determines whether or not the client will automatically initiate a MDM Recovery operation when it detects issues with the MDM certificate.
Supported operations are Get, Add, Replace and Delete.
The supported values for this node are 1-true (allow) and 0-false(not allow). Default value is 0.
<a href="" id="provider-providerid-recovery-recoverystatus"></a>**Provider/*ProviderID*/Recovery/RecoveryStatus**
This node tracks the status of a Recovery request from the InitiateRecovery node. The values are as follows:
0 - No Recovery request has been processed.
1 - Recovery is in Process.
2 - Recovery has finished successfully.
3 - Recovery has failed to start because TPM is not available.
4 - Recovery has failed to start because AAD keys are not protected by the TPM.
5 - Recovery has failed to start because the MDM keys are already protected by the TPM.
6 - Recovery has failed to start because the TPM is not ready for attestation.
7 - Recovery has failed because the client cannot authenticate to the server.
8 - Recovery has failed because the server has rejected the client's request.
Supported operation is Get only.
<a href="" id="provider-providerid-recovery-initiaterecovery"></a>**Provider/*ProviderID*/Recovery/InitiateRecovery**
This node initiates an MDM Recovery operation on the client.
If initiated with argument 0, it triggers MDM Recovery, no matter the state of the device.
If initiated with argument 1, it triggers only if the MDM certificates private key isnt already protected by the TPM, if there is a TPM to put the private key into, and if the TPM is ready for attestation.
Supported operation is Exec only.
<a href="" id="provider-providerid-multiplesession-numallowedconcurrentusersessionforbackgroundsync"></a>**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionForBackgroundSync**
Optional. This node specifies maximum number of concurrent user sync sessions in background.
The default value is dynamically decided by the client based on CPU usage.
The values are : 0= none, 1= sequential, anything else= parallel.
Supported operations are Get, Add, Replace and Delete.
Value type is integer. Only applicable for Windows Enterprise multi-session.
<a href="" id="provider-providerid-multiplesession-numallowedconcurrentusersessionatuserlogonsync"></a>**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionAtUserLogonSync**
Optional. This node specifies maximum number of concurrent user sync sessions at User Login.
The default value is dynamically decided by the client based on CPU usage.
The values are : 0= none, 1= sequential, anything else= parallel.
Supported operations are Get, Add, Replace and Delete.
Value type is integer. Only applicable for Windows Enterprise multi-session.
<a href="" id="provider-providerid-multiplesession-intervalforscheduledretriesforusersession"></a>**Provider/*ProviderID*/MultipleSession/IntervalForScheduledRetriesForUserSession**
Optional. This node specifies the waiting time (in minutes) for the initial set of retries as specified by the number of retries in `/<ProviderID>/Poll/NumberOfScheduledRetriesForUserSession`.
If IntervalForScheduledRetriesForUserSession is not set, then the default value is used. The default value is 0. If the value is set to 0, this schedule is disabled.
This configuration is only applicable for Windows Multi-session Editions.
Supported operations are Get and Replace.
<a href="" id="provider-providerid-multiplesession-numberofscheduledretriesforusersession"></a>**Provider/*ProviderID*/MultipleSession/NumberOfScheduledRetriesForUserSession**
Optional. This node specifies the number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server.
If the value is set to 0 and the IntervalForScheduledRetriesForUserSession value is not 0, then the schedule will be set to repeat an infinite number of times.
The default value is 0. This configuration is only applicable for Windows Multi-session Editions.
Supported operations are Get and Replace.
<a href="" id="provider-providerid-configlock"></a>**Provider/*ProviderID*/ConfigLock**
Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected.
@ -496,7 +630,7 @@ The status error mapping is listed below.
|--- |--- |
|0|Success|
|1|Failure: invalid PFN|
|2|Failure: invalid or expired device authentication with MSA|
|2|Failure: invalid or expired device authentication with Microsoft account|
|3|Failure: WNS client registration failed due to an invalid or revoked PFN|
|4|Failure: no Channel URI assigned|
|5|Failure: Channel URI has expired|

1
windows/client-management/mdm/dmsessionactions-csp.md
View File

@ -19,6 +19,7 @@ The table below shows the applicability of Windows:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

1
windows/client-management/mdm/dynamicmanagement-csp.md
View File

@ -20,6 +20,7 @@ The table below shows the applicability of Windows:
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

1
windows/client-management/mdm/email2-csp.md
View File

@ -20,6 +20,7 @@ The table below shows the applicability of Windows:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

37
windows/client-management/mdm/enrollmentstatustracking-csp.md
View File

@ -11,14 +11,24 @@ ms.date: 05/21/2019
# EnrollmentStatusTracking CSP
During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device usage until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar, to configure ESP for blocking the device usage until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](/windows/deployment/windows-autopilot/enrollment-status).
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device use until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar to configure ESP for blocking the device use until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](/windows/deployment/windows-autopilot/enrollment-status).
ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track the installation of different apps. The EnrollmentStatusTracking CSP tracks Win32 apps installations and DMClient CSP tracks MSI and Universal Windows Platform apps installations. In DMClient CSP, the **FirstSyncStatus/ExpectedMSIAppPackages** and **FirstSyncStatus/ExpectedModernAppPackages** nodes list the apps to track their installation. For more information, see [DMClient CSP](dmclient-csp.md).
The EnrollmentStatusTracking CSP was added in Windows 10, version 1903.
The following example shows the EnrollmentStatusTracking CSP in tree format.
The following shows the EnrollmentStatusTracking CSP in tree format.
```
./User/Vendor/MSFT
EnrollmentStatusTracking
@ -59,6 +69,7 @@ EnrollmentStatusTracking
------------------------RebootRequired
--------HasProvisioningCompleted
```
<a href="" id="vendor-msft"></a>**./Vendor/MSFT**
For device context, use **./Device/Vendor/MSFT** path and for user context, use **./User/Vendor/MSFT** path.
@ -93,6 +104,7 @@ Communicates the policy provider installation state back to ESP.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer. Expected values are as follows:
- 1—NotInstalled
- 2—NotRequired
- 3—Completed
@ -127,7 +139,8 @@ This node specifies if the policy provider is registered for app provisioning.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is boolean. Expected values are as follows:
- false — Indicates that the policy provider is not registered for app provisioning. This is the default.
- false—Indicates that the policy provider isn't registered for app provisioning. This is the default.
- true—Indicates that the policy provider is registered for app provisioning.
<a href="" id="enrollmentstatustracking-setup"></a>**EnrollmentStatusTracking/Setup**
@ -150,7 +163,7 @@ Scope is permanent. Supported operation is Get.
<a href="" id="enrollmentstatustracking-setup-apps-policyproviders-providername"></a>**EnrollmentStatusTracking/Setup/Apps/PolicyProviders**/***ProviderName***
Optional. This node is supported in both user context and device context.
Represents an app policy provider for the ESP. Existence of this node indicates to the ESP that it should not show the tracking status message until the TrackingPoliciesCreated node has been set to true.
Represents an app policy provider for the ESP. Existence of this node indicates to the ESP that it shouldn't show the tracking status message until the TrackingPoliciesCreated node has been set to true.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
@ -161,8 +174,9 @@ Indicates if the provider has created the required policies for the ESP to use f
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is boolean. The expected values are as follows:
- true—Indicates that the provider has created the required policies.
- false — Indicates that the provider has not created the required policies. This is the default.
- false—Indicates that the provider hasn't created the required policies. This is the default.
<a href="" id="enrollmentstatustracking-setup-apps-tracking"></a>**EnrollmentStatusTracking/Setup/Apps/Tracking**
Required. This node is supported in both user context and device context.
@ -178,7 +192,7 @@ Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
<a href="" id="enrollmentstatustracking-setup-apps-tracking-providername-appname"></a>**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/_AppName_**
Optional. This node is supported in both user context and device context.
Represents a unique name for the app whose progress should be tracked by the ESP. The policy provider can define any arbitrary app name as ESP does not use the app name directly.
Represents a unique name for the app whose progress should be tracked by the ESP. The policy provider can define any arbitrary app name as ESP doesn't use the app name directly.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
@ -189,6 +203,7 @@ Represents the installation state for the app. The policy providers (not the MDM
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer. Expected values are as follows:
- 1—NotInstalled
- 2—InProgress
- 3—Completed
@ -196,11 +211,12 @@ Value type is integer. Expected values are as follows:
<a href="" id="enrollmentstatustracking-setup-apps-tracking-providername-appname-rebootrequired"></a>**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/*AppName*/RebootRequired**
Optional. This node is supported in both user context and device context.
Indicates if the app installation requires ESP to issue a reboot. The policy providers installing the app (not the MDM server) must set this node. If the policy providers do not set this node, the ESP will not reboot the device for the app installation.
Indicates if the app installation requires ESP to issue a reboot. The policy providers installing the app (not the MDM server) must set this node. If the policy providers don't set this node, the ESP won't reboot the device for the app installation.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer. Expected values are as follows:
- 1—NotRequired
- 2—SoftReboot
- 3—HardReboot
@ -212,5 +228,10 @@ ESP sets this node when it completes. Providers can query this node to determine
Scope is permanent. Supported operation is Get.
Value type is boolean. Expected values are as follows:
- true—Indicates that ESP has completed. This is the default.
- false—Indicates that ESP is displayed, and provisioning is still going.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

120
windows/client-management/mdm/enterpriseapn-csp.md
View File

@ -1,6 +1,6 @@
---
title: EnterpriseAPN CSP
description: The EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet.
description: Learn how the EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet.
ms.assetid: E125F6A5-EE44-41B1-A8CC-DF295082E6B2
ms.reviewer:
manager: dansimp
@ -14,10 +14,18 @@ ms.date: 09/22/2017
# EnterpriseAPN CSP
The EnterpriseAPN configuration service provider (CSP) is used by the enterprise to provision an APN for the Internet.
The table below shows the applicability of Windows:
> [!Note]
> Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The EnterpriseAPN configuration service provider (CSP) is used by the enterprise to provision an APN for the Internet.
The following example shows the EnterpriseAPN configuration service provider in tree format.
```
@ -39,40 +47,42 @@ EnterpriseAPN
--------HideView
```
<a href="" id="enterpriseapn"></a>**EnterpriseAPN**
<p>The root node for the EnterpriseAPN configuration service provider.</p>
The root node for the EnterpriseAPN configuration service provider.
<a href="" id="enterpriseapn-connectionname"></a>**EnterpriseAPN/**<strong>*ConnectionName*</strong>
<p>Name of the connection as seen by Windows Connection Manager.</p>
Name of the connection as seen by Windows Connection Manager.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-apnname"></a>**EnterpriseAPN/*ConnectionName*/APNName**
<p>Enterprise APN name.</p>
Enterprise APN name.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-iptype"></a>**EnterpriseAPN/*ConnectionName*/IPType**
<p>This value can be one of the following values:</p>
This value can be one of the following:
- IPv4 - only IPV4 connection type
- IPv6 - only IPv6 connection type
- IPv4 - only IPV4 connection type.
- IPv6 - only IPv6 connection type.
- IPv4v6 (default)- IPv4 and IPv6 concurrently.
- IPv4v6xlat - IPv6 with IPv4 provided by 46xlat
- IPv4v6xlat - IPv6 with IPv4 provided by 46xlat.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-isattachapn"></a>**EnterpriseAPN/*ConnectionName*/IsAttachAPN**
<p>Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.</p>
Boolean value that indicates whether this APN should be requested as part of an LTE Attach.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Default value is false.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-classid"></a>**EnterpriseAPN/*ConnectionName*/ClassId**
<p>GUID that defines the APN class to the modem. This GUID is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting isn't present. It's only required when IsAttachAPN is true and the attach APN isn't only used as the Internet APN.</p>
GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting isn't present. It's only required when IsAttachAPN is true and the attach APN isn't only used as the Internet APN.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-authtype"></a>**EnterpriseAPN/*ConnectionName*/AuthType**
<p>Authentication type. This value can be one of the following values:</p>
Authentication type. This value can be one of the following:
- None (default)
- Auto
@ -80,70 +90,69 @@ EnterpriseAPN
- CHAP
- MSCHAPv2
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-username"></a>**EnterpriseAPN/*ConnectionName*/UserName**
<p>User name for use with PAP, CHAP, or MSCHAPv2 authentication.</p>
User name for use with PAP, CHAP, or MSCHAPv2 authentication.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-password"></a>**EnterpriseAPN/*ConnectionName*/Password**
<p>Password corresponding to the username.</p>
Password corresponding to the username.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-iccid"></a>**EnterpriseAPN/*ConnectionName*/IccId**
<p>Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node isn't present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.</p>
Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node isn't present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-alwayson"></a>**EnterpriseAPN/*ConnectionName*/AlwaysOn**
<p>Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.</p>
Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.
<p>The default value is true.</p>
The default value is true.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-enabled"></a>**EnterpriseAPN/*ConnectionName*/Enabled**
<p>Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.</p>
Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.
<p>The default value is true.</p>
The default value is true.
<p>Supported operations are Add, Get, Delete, and Replace.</p>
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-connectionname-roaming"></a>**EnterpriseAPN/*ConnectionName*/Roaming**
<p>Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:</p>
Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values are:
<ul>
<li>0 - Disallowed</li>
<li>1 - Allowed</li>
<li>2 - DomesticRoaming</li>
<li>3 - UseOnlyForDomesticRoaming</li>
<li>4 - UseOnlyForNonDomesticRoaming</li>
<li>5 - UseOnlyForRoaming</li>
</ul>
- 0 - Disallowed
- 1 - Allowed
- 2 - DomesticRoaming
- 3 - UseOnlyForDomesticRoaming
- 4 - UseOnlyForNonDomesticRoaming
- 5 - UseOnlyForRoaming
<p>Default is 1 (all roaming allowed).</p>
Default is 1 (all roaming allowed).
<p>Value type is string. Supported operations are Add, Get, Delete, and Replace.</p>
Value type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="enterpriseapn-settings"></a>**EnterpriseAPN/Settings**
<p>Added in Windows 10, version 1607. Node that contains global settings.</p>
Added in Windows 10, version 1607. Node that contains global settings.
<a href="" id="enterpriseapn-settings-allowusercontrol"></a>**EnterpriseAPN/Settings/AllowUserControl**
<p>Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.</p>
Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.
<p>The default value is false.</p>
The default value is false.
<p>Supported operations are Get and Replace.</p>
Supported operations are Get and Replace.
<a href="" id="enterpriseapn-settings-hideview"></a>**EnterpriseAPN/Settings/HideView**
<p>Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.</p>
Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.
<p>The default value is false.</p>
The default value is false.
<p>Supported operations are Get and Replace.</p>
Supported operations are Get and Replace.
## Examples
@ -290,15 +299,4 @@ atomicZ
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

534
windows/client-management/mdm/enterpriseappmanagement-csp.md
View File

@ -1,534 +0,0 @@
---
title: EnterpriseAppManagement CSP
description: Handle enterprise application management tasks using EnterpriseAppManagement configuration service provider (CSP).
ms.assetid: 698b8bf4-652e-474b-97e4-381031357623
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# EnterpriseAppManagement CSP
The EnterpriseAppManagement enterprise configuration service provider is used to handle enterprise application management tasks such as installing an enterprise application token, the first auto-downloadable app link, querying installed enterprise applications (name and version), auto updating already installed enterprise applications, and removing all installed enterprise apps (including the enterprise app token) during unenrollment.
> [!NOTE]
> The EnterpriseAppManagement CSP is only supported in Windows 10 IoT Core.
The following example shows the EnterpriseAppManagement configuration service provider in tree format.
```console
./Vendor/MSFT
EnterpriseAppManagement
----EnterpriseID
--------EnrollmentToken
--------StoreProductID
--------StoreUri
--------CertificateSearchCriteria
--------Status
--------CRLCheck
--------EnterpriseApps
------------Inventory
----------------ProductID
--------------------Version
--------------------Title
--------------------Publisher
--------------------InstallDate
------------Download
----------------ProductID
--------------------Version
--------------------Name
--------------------URL
--------------------Status
--------------------LastError
--------------------LastErrorDesc
--------------------DownloadInstall
```
<a href="" id="enterpriseid"></a>***EnterpriseID***
Optional. A dynamic node that represents the EnterpriseID as a GUID. It's used to enroll or unenroll enterprise applications.
Supported operations are Add, Delete, and Get.
<a href="" id="enterpriseid-enrollmenttoken"></a>***EnterpriseID*/EnrollmentToken**
Required. Used to install or update the binary representation of the application enrollment token (AET) and initiate "phone home" token validation. Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="enterpriseid-storeproductid"></a>***EnterpriseID*/StoreProductID**
Required. The node to host the ProductId node. Scope is dynamic.
Supported operation is Get.
<a href="" id="-storeproductid-productid"></a>**/StoreProductID/ProductId**
The character string that contains the ID of the first enterprise application (usually a Company Hub app), which is automatically installed on the device. Scope is dynamic.
Supported operations are Get and Add.
<a href="" id="enterpriseid-storeuri"></a>***EnterpriseID*/StoreUri**
Optional. The character string that contains the URI of the first enterprise application to be installed on the device. The enrollment client downloads and installs the application from this URI. Scope is dynamic.
Supported operations are Get and Add.
<a href="" id="enterpriseid-certificatesearchcriteria"></a>***EnterpriseID*/CertificateSearchCriteria**
Optional. The character string that contains the search criteria to search for the DM-enrolled client certificate. The certificate is used for client authentication during enterprise application download. The company's application content server should use the enterprise-enrolled client certificate to authenticate the device. The value must be a URL encoded representation of the X.500 distinguished name of the client certificates Subject property. The X.500 name must conform to the format required by the [CertStrToName](/windows/win32/api/wincrypt/nf-wincrypt-certstrtonamea) function. This search parameter is case sensitive. Scope is dynamic.
Supported operations are Get and Add.
> [!NOTE]
> Do NOT use Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00. The server must replace this value in the supplied client certificate. If your server returns a client certificate containing the same Subject value, this can cause unexpected behavior. The server should always override the subject value and not use the default device-provided Device ID Subject= Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00
<a href="" id="enterpriseid-status"></a>***EnterpriseID*/Status**
Required. The integer value that indicates the current status of the application enrollment. Valid values are 0 (ENABLED), 1 (INSTALL\_DISABLED), 2 (REVOKED), and 3 (INVALID). Scope is dynamic.
Supported operation is Get.
<a href="" id="enterpriseid-crlcheck"></a>***EnterpriseID*/CRLCheck**
Optional. Character value that specifies whether the device should do a CRL check when using a certificate to authenticate the server. Valid values are "1" (CRL check required), "0" (CRL check not required). Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="enterpriseid-enterpriseapps"></a>***EnterpriseID*/EnterpriseApps**
Required. The root node to for individual enterprise application related settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider).
Supported operation is Get.
<a href="" id="-enterpriseapps-inventory"></a>**/EnterpriseApps/Inventory**
Required. The root node for individual enterprise application inventory settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider).
Supported operation is Get.
<a href="" id="-inventory-productid"></a>**/Inventory/**<strong>*ProductID*</strong>
Optional. A node that contains s single enterprise application product ID in GUID format. Scope is dynamic.
Supported operation is Get.
<a href="" id="-inventory-productid-version"></a>**/Inventory/*ProductID*/Version**
Required. The character string that contains the current version of the installed enterprise application. Scope is dynamic.
Supported operation is Get.
<a href="" id="-inventory-productid-title"></a>**/Inventory/*ProductID*/Title**
Required. The character string that contains the name of the installed enterprise application. Scope is dynamic.
Supported operation is Get.
<a href="" id="-inventory-productid-publisher"></a>**/Inventory/*ProductID*/Publisher**
Required. The character string that contains the name of the publisher of the installed enterprise application. Scope is dynamic.
Supported operation is Get.
<a href="" id="-inventory-productid-installdate"></a>**/Inventory/*ProductID*/InstallDate**
Required. The time (in the character format YYYY-MM-DD-HH:MM:SS) that the application was installed or updated. Scope is dynamic.
Supported operation is Get.
<a href="" id="-enterpriseapps-download"></a>**/EnterpriseApps/Download**
Required. This node groups application download-related parameters. The enterprise server can only automatically update currently installed enterprise applications. The end user controls which enterprise applications to download and install. Scope is dynamic.
Supported operation is Get.
<a href="" id="-download-productid"></a>**/Download/**<strong>*ProductID*</strong>
Optional. This node contains the GUID for the installed enterprise application. Each installed application has a unique ID. Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="-download-productid-version"></a>**/Download/*ProductID*/Version**
Optional. The character string that contains version information (set by the caller) for the application currently being downloaded. Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="-download-productid-name"></a>**/Download/*ProductID*/Name**
Required. The character string that contains the name of the installed application. Scope is dynamic.
Supported operation is Get.
<a href="" id="-download-productid-url"></a>**/Download/*ProductID*/URL**
Optional. The character string that contains the URL for the updated version of the installed application. The device will download application updates from this link. Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="-download-productid-status"></a>**/Download/*ProductID*/Status**
Required. The integer value that indicates the status of the current download process. The following table shows the possible values.
|Value|Description|
|--- |--- |
|0: CONFIRM|Waiting for confirmation from user.|
|1: QUEUED|Waiting for download to start.|
|2: DOWNLOADING|In the process of downloading.|
|3: DOWNLOADED|Waiting for installation to start.|
|4: INSTALLING|Handed off for installation.|
|5: INSTALLED|Successfully installed|
|6: FAILED|Application was rejected (not signed properly, bad XAP format, not enrolled properly, etc.)|
|7:DOWNLOAD_FAILED|Unable to connect to server, file doesn't exist, etc.|
Scope is dynamic. Supported operations are Get, Add, and Replace.
<a href="" id="-download-productid-lasterror"></a>**/Download/*ProductID*/LastError**
Required. The integer value that indicates the HRESULT of the last error code. If there are no errors, the value is 0 (S\_OK). Scope is dynamic.
Supported operation is Get.
<a href="" id="-download-productid-lasterrordesc"></a>**/Download/*ProductID*/LastErrorDesc**
Required. The character string that contains the human readable description of the last error code.
<a href="" id="-download-productid-downloadinstall"></a>**/Download/*ProductID*/DownloadInstall**
Required. The node to allow the server to trigger the download and installation for an updated version of the user installed application. The format for this node is null. The server must query the device later to determine the status. For each product ID, the status field is retained for up to one week. Scope is dynamic.
Supported operation is Exec.
## Remarks
### Install and Update Line of Business (LOB) applications
A workplace can automatically install and update Line of Business applications during a management session. Line of Business applications support various file types including XAP (8.0 and 8.1), AppX, and AppXBundles. A workplace can also update applications from XAP file formats to Appx and AppxBundle formats through the same channel. For more information, see the Examples section.
### Uninstall Line of Business (LOB) applications
A workplace can also remotely uninstall Line of Business applications on the device. It's not possible to use this mechanism to uninstall Store applications on the device or Line of Business applications that aren't installed by the enrolled workplace (for side-loaded application scenarios). For more information, see the Examples section.
### Query installed Store application
You can determine if a Store application is installed on a system. First, you need the Store application GUID. You can get the Store application GUID by going to the URL for the Store application.
The Microsoft Store application has a GUID of d5dc1ebb-a7f1-df11-9264-00237de2db9e.
Use the following SyncML format to query to see if the application is installed on a managed device:
```xml
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7B D5DC1EBB-A7F1-DF11-9264-00237DE2DB9E%7D</LocURI>
</Target>
</Item>
</Get>
```
Response from the device (it contains list of subnodes if this app is installed in the device).
```xml
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7B D5DC1EBB-A7F1-DF11-9264-00237DE2DB9E%7D</LocURI>
</Source>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
<Type xmlns="syncml:metinf"></Type>
</Meta>
<Data>Version/Title/Publisher/InstallDate</Data>
</Item>
</Results>
```
### Node Values
All node values under the ProviderID interior node represent the policy values that the management server wants to set.
- An Add or Replace command on those nodes returns success in both of the following cases:
- The value is applied to the device.
- The value isnt applied to the device because the device has a more secure value set already.
From a security perspective, the device complies with the policy request that is at least as secure as the one requested.
- A Get command on those nodes returns the value that the server pushes down to the device.
- If a Replace command fails, the node value is set to be the previous value before Replace command was applied.
- If an Add command fails, the node isn't created.
The value applied to the device can be queried via the nodes under the DeviceValue interior node.
## OMA DM examples
Enroll enterprise ID “4000000001” for the first time:
```xml
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnrollmentToken</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>InsertTokenHere</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAppManagement/4000000001/CertificateSearchCriteria
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>SearchCriteriaInsertedHere</Data>
</Item>
</Add>
```
Update the enrollment token (for example, to update an expired application enrollment token):
```xml
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnrollmentToken</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>InsertUpdaedTokenHere</Data>
</Item>
</Replace>
```
Query all installed applications that belong to enterprise ID “4000000001”:
```xml
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory?list=StructData
</LocURI>
</Target>
</Item>
</Get>
```
Response from the device (that contains two installed applications):
```xml
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory
</LocURI>
</Source>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
<Type xmlns="syncml:metinf"></Type>
</Meta>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D
</LocURI>
</Source>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
<Type xmlns="syncml:metinf"></Type>
</Meta>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D
</LocURI>
</Source>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
<Type xmlns="syncml:metinf"></Type>
</Meta>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Version
</LocURI>
</Source>
<Data>1.0.0.0</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Title
</LocURI>
</Source>
<Data>Sample1</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Publisher
</LocURI>
</Source>
<Data>ExamplePublisher</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/InstallDate
</LocURI>
</Source>
<Data>2012-10-30T21:09:52Z</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Version
</LocURI>
</Source>
<Data>1.0.0.0</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Title
</LocURI>
</Source>
<Data>Sample2</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Publisher
</LocURI>
</Source>
<Data>Contoso</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/InstallDate
</LocURI>
</Source>
<Data>2012-10-31T21:23:31Z</Data>
</Item>
</Results>
```
## Install and update an enterprise application
Install or update the installed app with the product ID “{B316008A-141D-4A79-810F-8B764C4CFDFB}”.
To perform an XAP update, create the Name, URL, Version, and DownloadInstall nodes first, then perform an “execute” on the “DownloadInstall” node (all within an “Atomic” operation). If the application doesn't exist, the application will be silently installed without any user interaction. If the application can't be installed, the user will be notified with an Alert dialog.
> [!NOTE]
> - If a previous app-update node existed for this product ID (the node can persist for up to 1 week or 7 days after an installation has completed), then a 418 (already exist) error would be returned on the “Add”. To get around the 418 error, the server should issue a Replace command for the Name, URL, and Version nodes, and then execute on the “DownloadInstall” (within an “Atomic” operation).
>
> - The application product ID curly braces need to be escaped where { is %7B and } is %7D.
```xml
<Atomic>
<CmdID>2</CmdID>
<!-- The Add command can be used if the download node does not have a matching product ID
node in it or if the application was installer 7 or more days old. Otherwise, use the Replace command. -->
<Add>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/Name
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>ContosoApp1</Data>
</Item>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/URL
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>http://contoso.com/enterpriseapps/ContosoApp1.xap</Data>
</Item>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/Version</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>2.0.0.0</Data>
</Item>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/DownloadInstall
</LocURI>
</Target>
<Data>1</Data>
</Item>
</Add>
<Exec>
<CmdID>4</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/DownloadInstall
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Exec>
</Atomic>
```
## Uninstall enterprise application
Uninstall an installed enterprise application with product ID “{7BB316008A-141D-4A79-810F-8B764C4CFDFB }”:
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

140
windows/client-management/mdm/enterpriseappvmanagement-csp.md
View File

@ -1,6 +1,6 @@
---
title: EnterpriseAppVManagement CSP
description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 PCs.(Enterprise and Education editions).
description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 or Windows 11 PCs. (Enterprise and Education editions).
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -13,7 +13,18 @@ manager: dansimp
# EnterpriseAppVManagement CSP
The EnterpriseAppVManagement configuration service provider (CSP) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions). This CSP was added in Windows 10, version 1703.
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The EnterpriseAppVManagement configuration service provider (CSP) is used to manage virtual applications in Windows 10 or Windows 11 PCs (Enterprise and Education editions). This CSP was added in Windows 10, version 1703.
The following shows the EnterpriseAppVManagement configuration service provider in tree format.
```
@ -45,68 +56,98 @@ EnterpriseAppVManagement
------------Policy
```
**./Vendor/MSFT/EnterpriseAppVManagement**
<p>Root node for the EnterpriseAppVManagement configuration service provider.</p>
Root node for the EnterpriseAppVManagement configuration service provider.
**AppVPackageManagement**
<p>Used to query App-V package information (post-publish).</p>
Used to query App-V package information (post-publish).
**AppVPackageManagement/EnterpriseID**
<p>Used to query package information. Value is always &quot;HostedInstall&quot;.</p>
Used to query package information. Value is always &quot;HostedInstall&quot;.
**AppVPackageManagement/EnterpriseID/PackageFamilyName**
<p>Package ID of the published App-V package.</p>
Package ID of the published App-V package.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName***
<p>Version ID of the published App-V package.</p>
Version ID of the published App-V package.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Name**
<p>Name specified in the published AppV package.</p>
<p>Value type is string. Supported operation is Get.</p>
Name specified in the published AppV package.
Value type is string.
Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Version**
<p>Version specified in the published AppV package.</p>
<p>Value type is string. Supported operation is Get.</p>
Version specified in the published AppV package.
Value type is string.
Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Publisher**
<p>Publisher as specified in the published asset information of the AppV package.</p>
<p>Value type is string. Supported operation is Get.</p>
Publisher as specified in the published asset information of the AppV package.
Value type is string.
Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallLocation**
<p>Local package path specified in the published asset information of the AppV package.</p>
<p>Value type is string. Supported operation is Get.</p>
Local package path specified in the published asset information of the AppV package.
Value type is string.
Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallDate**
<p>Date the app was installed, as specified in the published asset information of the AppV package.</p>
<p>Value type is string. Supported operation is Get.</p>
Date the app was installed, as specified in the published asset information of the AppV package.
Value type is string.
Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Users**
<p>Registered users for app, as specified in the published asset information of the AppV package.</p>
<p>Value type is string. Supported operation is Get.</p>
Registered users for app, as specified in the published asset information of the AppV package.
Value type is string.
Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageId**
<p> Package ID of the published App-V package.</p>
<p>Value type is string. Supported operation is Get.</p>
Package ID of the published App-V package.
Value type is string.
Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVVersionId**
<p>Version ID of the published App-V package.</p>
<p>Value type is string. Supported operation is Get.</p>
Version ID of the published App-V package.
Value type is string.
Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageUri**
<p>Package URI of the published App-V package.</p>
<p>Value type is string. Supported operation is Get.</p>
Package URI of the published App-V package.
Value type is string.
Supported operation is Get.
**AppVPublishing**
<p>Used to monitor publishing operations on App-V.</p>
Used to monitor publishing operations on App-V.
**AppVPublishing/LastSync**
<p>Used to monitor publishing status of last sync operation.</p>
Used to monitor publishing status of last sync operation.
**AppVPublishing/LastSync/LastError**
<p>Error code and error description of last sync operation.</p>
<p>Value type is string. Supported operation is Get.</p>
Error code and error description of last sync operation.
Value type is string.
Supported operation is Get.
**AppVPublishing/LastSync/LastErrorDescription**
<p>Last sync error status. One of the following values may be returned:</p>
Last sync error status. One of the following values may be returned:
- SYNC\_ERR_NONE (0) - No errors during publish.
- SYNC\_ERR\_UNPUBLISH_GROUPS (1) - Unpublish groups failed during publish.
@ -116,10 +157,12 @@ EnterpriseAppVManagement
- SYNC\_ERR\_NEW_POLICY_WRITE (5) - New policy write failed during publish.
- SYNC\_ERR\_MULTIPLE\_DURING_PUBLISH (6) - Multiple non-fatal errors occurred during publish.
<p>Value type is string. Supported operation is Get.</p>
Value type is string.
Supported operation is Get.
**AppVPublishing/LastSync/SyncStatusDescription**
<p>Latest sync in-progress stage. One of the following values may be returned:</p>
Latest sync in-progress stage. One of the following values may be returned:
- SYNC\_PROGRESS_IDLE (0) - App-V publishing is idle.
- SYNC\_PROGRESS\_UNPUBLISH_GROUPS (1) - App-V connection groups publish in progress.
@ -127,9 +170,12 @@ EnterpriseAppVManagement
- SYNC\_PROGRESS\_PUBLISH\_GROUP_PACKAGES (3) - App-V packages (connection group) publish in progress.
- SYN\C_PROGRESS_UNPUBLISH_PACKAGES (4) - App-V packages unpublish in progress.
<p>Value type is string. Supported operation is Get.</p>
Value type is string.
<strong>AppVPublishing/LastSync/SyncProgress</strong><br/><p>Latest sync state. One of the following values may be returned:</p>
Supported operation is Get.
**AppVPublishing/LastSync/SyncProgress**
Latest sync state. One of the following values may be returned:
- SYNC\_STATUS_IDLE (0) - App-V Sync is idle.
- SYNC\_STATUS\_PUBLISH_STARTED (1) - App-V Sync is initializing.
@ -137,22 +183,30 @@ EnterpriseAppVManagement
- SYNC\_STATUS\_PUBLISH\_COMPLETED (3) - App-V Sync is complete.
- SYNC\_STATUS\_PUBLISH\_REBOOT_REQUIRED (4) - App-V Sync requires device reboot.
<p>Value type is string. Supported operation is Get.</p>
Value type is string.
Supported operation is Get.
**AppVPublishing/Sync**
<p>Used to perform App-V synchronization.</p>
Used to perform App-V synchronization.
**AppVPublishing/Sync/PublishXML**
<p>Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see <a href="/openspecs/windows_protocols/ms-vapr/a05e030d-4fb9-4c8d-984b-971253b62be8" data-raw-source="[[MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol](/openspecs/windows_protocols/ms-vapr/a05e030d-4fb9-4c8d-984b-971253b62be8)">[MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol</a>.</p>
<p>Supported operations are Get, Delete, and Execute.</p>
Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol,, see [[MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol](/openspecs/windows_protocols/ms-vapr/a05e030d-4fb9-4c8d-984b-971253b62be8).
Supported operations are Get, Delete, and Execute.
**AppVDynamicPolicy**
<p>Used to set App-V Policy Configuration documents for publishing packages.</p>
Used to set App-V Policy Configuration documents for publishing packages.
**AppVDynamicPolicy/*ConfigurationId***
<p>ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).</p>
ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).
**AppVDynamicPolicy/*ConfigurationId*/Policy**
<p>XML for App-V Policy Configuration documents for publishing packages.</p>
<p>Value type is xml. Supported operations are Add, Get, Delete, and Replace.</p>
XML for App-V Policy Configuration documents for publishing packages.
Value type is xml.
Supported operations are Add, Get, Delete, and Replace.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

59
windows/client-management/mdm/enterprisedataprotection-csp.md
View File

@ -1,6 +1,6 @@
---
title: EnterpriseDataProtection CSP
description: The EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings.
description: Learn how the EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings.
ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3
ms.reviewer:
manager: dansimp
@ -14,17 +14,25 @@ ms.date: 08/09/2017
# EnterpriseDataProtection CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip).
> [!Note]
> To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).
> - This CSP was added in Windows 10, version 1607.
> [!NOTE]
> To make Windows Information Protection functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).
While Windows Information Protection has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md).
While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md).
To learn more about WIP, see the following articles:
To learn more about Windows Information Protection, see the following articles:
- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
@ -53,7 +61,10 @@ The root node for the CSP.
The root node for the Windows Information Protection (WIP) configuration settings.
<a href="" id="settings-edpenforcementlevel"></a>**Settings/EDPEnforcementLevel**
Set the WIP enforcement level. Setting this value isn't sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running.
Set the WIP enforcement level.
> [!NOTE]
> Setting this value isn't sufficient to enable Windows Information Protection on the device. Attempts to change this value will fail when the WIP cleanup is running.
The following list shows the supported values:
@ -65,14 +76,13 @@ The following list shows the supported values:
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-enterpriseprotecteddomainnames"></a>**Settings/EnterpriseProtectedDomainNames**
A list of domains used by the enterprise for its user identities separated by pipes (&quot;|&quot;).The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
A list of domains used by the enterprise for its user identities separated by pipes (&quot;|&quot;). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for Windows Information Protection. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
Changing the primary enterprise ID isn't supported and may cause unexpected behavior on the client.
> [!Note]
> [!NOTE]
> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
Here are the steps to create canonical domain names:
1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com.
@ -231,7 +241,7 @@ For EFSCertificate KeyTag, it's expected to be a DER ENCODED binary certificate.
Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate.
<a href="" id="settings-revokeonunenroll"></a>**Settings/RevokeOnUnenroll**
This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup, later. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1.
This policy controls whether to revoke the Windows Information Protection keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup, later. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1.
The following list shows the supported values:
@ -241,10 +251,10 @@ The following list shows the supported values:
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-revokeonmdmhandoff"></a>**Settings/RevokeOnMDMHandoff**
Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
Added in Windows 10, version 1703. This policy controls whether to revoke the Windows Information Protection keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
- 0 - Don't revoke keys
- 1 (default) - Revoke keys
- 0 - Don't revoke keys.
- 1 (default) - Revoke keys.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
@ -254,7 +264,7 @@ TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS t
Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID).
<a href="" id="settings-allowazurermsforedp"></a>**Settings/AllowAzureRMSForEDP**
Specifies whether to allow Azure RMS encryption for WIP.
Specifies whether to allow Azure RMS encryption for Windows Information Protection.
- 0 (default) Don't use RMS.
- 1 Use RMS.
@ -262,12 +272,12 @@ Specifies whether to allow Azure RMS encryption for WIP.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-smbautoencryptedfileextensions"></a>**Settings/SMBAutoEncryptedFileExtensions**
Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for <a href="policy-configuration-service-provider.md#networkisolation-enterpriseiprange" data-raw-source="[NetworkIsolation/EnterpriseIPRange](policy-configuration-service-provider.md#networkisolation-enterpriseiprange)">NetworkIsolation/EnterpriseIPRange</a> and <a href="policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames" data-raw-source="[NetworkIsolation/EnterpriseNetworkDomainNames](policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames)">NetworkIsolation/EnterpriseNetworkDomainNames</a>. Use semicolon (;) delimiter in the list.
Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-configuration-service-provider.md#networkisolation-enterpriseiprange) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames). Use semicolon (;) delimiter in the list.
When this policy isn't specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted.
Supported operations are Add, Get, Replace and Delete. Value type is string.
<a href="" id="settings-edpshowicons"></a>**Settings/EDPShowIcons**
Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app.
Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the Windows Information Protection icon in the title bar of a WIP-protected app.
The following list shows the supported values:
- 0 (default) - No WIP overlays on icons or tiles.
@ -276,7 +286,7 @@ The following list shows the supported values:
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="status"></a>**Status**
A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
A read-only bit mask that indicates the current state of Windows Information Protection on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
Suggested values:
@ -284,15 +294,13 @@ Suggested values:
|--- |--- |--- |--- |--- |
|4|3|2|1|0|
Bit 0 indicates whether WIP is on or off.
Bit 1 indicates whether AppLocker WIP policies are set.
Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies aren't configured, the bit 3 is set to 0 (zero).
Bit 3 indicates whether the mandatory Windows Information Protection policies are configured. If one or more of the mandatory WIP policies aren't configured, the bit 3 is set to 0 (zero).
Here&#39;s the list of mandatory WIP policies:
Here's the list of mandatory WIP policies:
- EDPEnforcementLevel in EnterpriseDataProtection CSP
- DataRecoveryCertificate in EnterpriseDataProtection CSP
@ -304,5 +312,8 @@ Bits 2 and 4 are reserved for future use.
Supported operation is Get. Value type is integer.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

34
windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
View File

@ -1,6 +1,6 @@
---
title: EnterpriseDesktopAppManagement CSP
description: The EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications.
description: Learn how the EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications.
ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5
ms.reviewer:
manager: dansimp
@ -14,6 +14,16 @@ ms.date: 07/11/2017
# EnterpriseDesktopAppManagement CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications.
@ -96,8 +106,6 @@ Status of the application. Value type is string. Supported operation is Get.
| Enforcement Failed | 60 |
| Enforcement Completed | 70 |
<a href="" id="msi-productid-lasterror"></a>**MSI/*ProductID*/LastError**
The last error code during the application installation process. This error code is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this error could be the result of executing MSIExec.exe or the error result from an API that failed.
@ -116,10 +124,8 @@ Added in the March service release of Windows 10, version 1607. A gateway (or de
Value type is string. Supported operation is Get.
## Examples
**SyncML to request CSP version information**
```xml
@ -146,9 +152,7 @@ The following table describes the fields in the previous sample:
| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. |
| LocURI | Path to Win32 CSP command processor. |
**SyncML to perform MSI operations for application uninstall**
**SyncML to perform MSI operations for application uninstall:**
```xml
<SyncML xmlns="SYNCML:SYNCML1.1">
@ -202,8 +206,6 @@ The following table describes the fields in the previous sample:
| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. |
| LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. |
**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to precede the Exec command.**
```xml
@ -268,9 +270,7 @@ The following table describes the fields in the previous sample:
> [!Note]
> Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx).
**SyncML to perform MSI install operations for an application targeted to all users on the device (per-device installation)**
**SyncML to perform MSI install operations for an application targeted to all users on the device (per-device installation):**
```xml
<SyncML xmlns="SYNCML:SYNCML1.1">
@ -339,8 +339,6 @@ The following table MsiInstallJob describes the schema elements.
|RetryCount|The number of times the download and installation operation will be retried before the installation will be marked as failed.|
|RetryInterval|Amount of time, in minutes between retry operations.|
Here's an example of a common response to a request
```xml
@ -369,7 +367,6 @@ Here's an example of a common response to a request
## How to determine which installation context to use for an MSI package
The following tables show how app targeting and MSI package type (per-user, per machine, or dual mode) are installed in the client.
For Intune standalone environment, the MSI package will determine the MSI execution context.
@ -388,7 +385,6 @@ The following table applies to SCCM hybrid environment.
## How to determine the package type from the MSI package
- ALLUSERS="" - per-user package type
- ALLUSERS=1 - per-machine package type
- ALLUSERS=2, MSIINSTALLPERUSER=1 - dual mode package type
@ -403,7 +399,6 @@ Here's a list of references:
## Alert example
```xml
<Alert>
<CmdID>4</CmdID>
@ -421,3 +416,6 @@ Here's a list of references:
</Item>
</Alert>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

96
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -14,6 +14,17 @@ ms.date: 11/19/2021
# EnterpriseModernAppManagement CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md).
> [!Note]
@ -65,6 +76,7 @@ EnterpriseModernAppManagement
----------------AddLicense
----------------GetLicenseFromStore
```
<a href="" id="device-or-user-context"></a>**Device or User context**
For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path.
@ -212,16 +224,19 @@ Added in Windows 10, version 1809. Interior node for the managing updates throug
<a href="" id="appmanagement-releasemanagement-releasemanagementkey"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_**
Added in Windows 10, version 1809. Identifier for the app or set of apps. If there's only one app, it's the PackageFamilyName. If it's for a set of apps, it's the PackageFamilyName of the main app.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-channelid"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ChannelId**
Added in Windows 10, version 1809. Specifies the app channel ID.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
Value type is string.
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-releasemanagementid"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ReleaseManagementId**
Added in Windows 10, version 1809. The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
Value type is string.
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-effectiverelease"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease**
Added in Windows 10, version 1809. Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
@ -229,12 +244,16 @@ Added in Windows 10, version 1809. Interior node used to specify the effective a
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-effectiverelease-channelid"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ChannelId**
Added in Windows 10, version 1809. Returns the last user channel ID on the device.
Value type is string. Supported operation is Get.
Value type is string.
Supported operation is Get.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-effectiverelease-releasemanagementid"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ReleaseManagementId**
Added in Windows 10, version 1809. Returns the last user release ID on the device.
Value type is string. Supported operation is Get.
Value type is string.
Supported operation is Get.
<a href="" id="----packagefamilyname"></a>**.../**<strong>*PackageFamilyName*</strong>
Optional. Package family name (PFN) of the app. There's one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
@ -244,7 +263,6 @@ Supported operations are Get and Delete.
> [!Note]
> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
Here's an example for uninstalling an app:
```xml
@ -274,22 +292,30 @@ Supported operations are Get and Delete.
<a href="" id="----packagefamilyname-packagefullname-name"></a>**.../*PackageFamilyName*/*PackageFullName*/Name**
Required. Name of the app. Value type is string.
Required. Name of the app.
Value type is string.
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-version"></a>**.../*PackageFamilyName*/*PackageFullName*/Version**
Required. Version of the app. Value type is string.
Required. Version of the app.
Value type is string.
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-publisher"></a>**.../*PackageFamilyName*/*PackageFullName*/Publisher**
Required. Publisher name of the app. Value type is string.
Required. Publisher name of the app.
Value type is string.
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-architecture"></a>**.../*PackageFamilyName*/*PackageFullName*/Architecture**
Required. Architecture of installed package. Value type is string.
Required. Architecture of installed package.
Value type is string.
> [!Note]
> Not applicable to XAP files.
@ -297,7 +323,9 @@ Required. Architecture of installed package. Value type is string.
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-installlocation"></a>**.../*PackageFamilyName*/*PackageFullName*/InstallLocation**
Required. Install location of the app on the device. Value type is string.
Required. Install location of the app on the device.
Value type is string.
> [!Note]
> Not applicable to XAP files.
@ -313,12 +341,16 @@ Required. Whether or not the app is a framework package. Value type is int. The
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-isbundle"></a>**.../*PackageFamilyName*/*PackageFullName*/IsBundle**
Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases.
Value type is int.
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-installdate"></a>**.../*PackageFamilyName*/*PackageFullName*/InstallDate**
Required. Date the app was installed. Value type is string.
Required. Date the app was installed.
Value type is string.
Supported operation is Get.
@ -331,7 +363,9 @@ Required. Resource ID of the app. This value is null for the main app, ~ for a b
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-packagestatus"></a>**.../*PackageFamilyName*/*PackageFullName*/PackageStatus**
Required. Provides information about the status of the package. Value type is int. Valid values are:
Required. Provides information about the status of the package.
Value type is int. Valid values are:
- OK (0) - The package is usable.
- LicenseIssue (1) - The license of the package isn't valid.
@ -363,7 +397,9 @@ Required. Registered users of the app and the package install state. If the quer
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-isprovisioned"></a>**.../*PackageFamilyName*/*PackageFullName*/IsProvisioned**
Required. The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
Required. The value is 0 or 1 that indicates if the app is provisioned on the device.
The value type is int.
Supported operation is Get.
@ -371,7 +407,9 @@ Supported operation is Get.
Added in Windows 10, version 2004.
Required. This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app.
The value is 1 if the package is a stub package and 0 (zero) for all other cases. Value type is int.
The value is 1 if the package is a stub package and 0 (zero) for all other cases.
Value type is int.
Supported operation is Get.
@ -388,7 +426,9 @@ Added in Windows 10, version 1511. The *SettingValue* and data represent a key v
This setting only works for apps that support the feature and it's only supported in the user context.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
Value type is string.
Supported operations are Add, Get, Replace, and Delete.
The following example sets the value for the 'Server'
@ -425,7 +465,9 @@ The following example gets all managed app settings for a specific app.
<a href="" id="----packagefamilyname-maintainprocessorarchitectureonupdate"></a>**.../_PackageFamilyName_/MaintainProcessorArchitectureOnUpdate**
Added in Windows 10, version 1803. Specify whether on an AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
Supported operations are Add, Get, Delete, and Replace. Value type is integer.
Supported operations are Add, Get, Delete, and Replace.
Value type is integer.
Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins).
@ -443,9 +485,12 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to
NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults.
Value type is integer. Supported operations are Add, Get, and Replace.
Value type is integer.
Supported operations are Add, Get, and Replace.
Valid values:
- 0 app isn't in the nonremovable app policy list
- 1 app is included in the nonremovable app policy list
@ -526,7 +571,6 @@ Supported operations are Get and Add.
> [!Note]
> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
<a href="" id="appinstallation-packagefamilyname-storeinstall"></a>**AppInstallation/*PackageFamilyName*/StoreInstall**
Required. Command to perform an install of an app and a license from the Microsoft Store.
@ -536,6 +580,7 @@ Supported operation is Execute, Add, Delete, and Get.
Required. Command to perform an install of an app package from a hosted location (this location can be a local drive, a UNC, or https data source).
The following list shows the supported deployment options:
- ForceApplicationShutdown
- DevelopmentMode 
- InstallAllResources
@ -557,8 +602,6 @@ Supported operation is Get.
> [!Note]
> This element isn't present after the app is installed.
<a href="" id="appinstallation-packagefamilyname-lasterrordescription"></a>**AppInstallation/*PackageFamilyName*/LastErrorDesc**
Required. Description of last error relating to the app installation.
@ -567,7 +610,6 @@ Supported operation is Get.
> [!Note]
> This element isn't present after the app is installed.
<a href="" id="appinstallation-packagefamilyname-status"></a>**AppInstallation/*PackageFamilyName*/Status**
Required. Status of app installation. The following values are returned:
@ -590,7 +632,6 @@ Supported operation is Get.
> [!Note]
> This element isn't present after the app is installed.
<a href="" id="applicenses"></a>**AppLicenses**
Required node. Used to manage licenses for app scenarios.
@ -603,7 +644,7 @@ Optional node. License ID for a store installed app. The license ID is generally
Supported operations are Add, Get, and Delete.
<a href="" id="applicenses-storelicenses-licenseid-licensecategory"></a>**AppLicenses/StoreLicenses/*LicenseID*/LicenseCategory**
Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid value:
Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid values are:
- Unknown - unknown license category
- Retail - license sold through retail channels, typically from the Microsoft Store
@ -614,9 +655,9 @@ Added in Windows 10, version 1511. Required. Category of license that is used to
Supported operation is Get.
<a href="" id="applicenses-storelicenses-licenseid-licenseusage"></a>**AppLicenses/StoreLicenses/*LicenseID*/LicenseUsage**
Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values:
Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values are:
- Unknown - usage is unknown
- Unknown - usage is unknown.
- Online - the license is only valid for online usage. This license is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time.
- Offline - license is valid for use offline. You don't need a connection to the internet to use this license.
- Enterprise Root -
@ -640,7 +681,6 @@ Supported operation is Execute.
## Examples
For examples of how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md).
Query the device for a specific app subcategory, such as nonStore apps.

64
windows/client-management/mdm/euiccs-csp.md
View File

@ -13,10 +13,21 @@ manager: dansimp
# eUICCs CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709.
The following example shows the eUICCs configuration service provider in tree format.
The following shows the eUICCs configuration service provider in tree format.
```
./Device/Vendor/MSFT
eUICCs
@ -44,8 +55,9 @@ eUICCs
------------ResetToFactoryState
------------Status
```
<a href="" id="--vendor-msft-euiccs"></a>**./Vendor/MSFT/eUICCs**
Root node.
Root node for the eUICCs CSP.
<a href="" id="euicc"></a>**_eUICC_**
Interior node. Represents information associated with an eUICC. There's one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, for example, this association could be an SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC.
@ -65,12 +77,16 @@ Supported operation is Get. Value type is boolean.
<a href="" id="euicc-ppr1allowed"></a>**_eUICC_/PPR1Allowed**
Profile Policy Rule 1 (PPR1) is required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 isn't allowed.
Supported operation is Get. Value type is boolean.
Supported operation is Get.
Value type is boolean.
<a href="" id="euicc-ppr1alreadyset"></a>**_eUICC_/PPR1AlreadySet**
Required. Indicates whether the eUICC already has a profile with PPR1.
Supported operation is Get. Value type is boolean.
Supported operation is Get.
Value type is boolean.
<a href="" id="euicc-downloadservers"></a>**_eUICC_/DownloadServers**
Interior node. Represents default SM-DP+ discovery requests.
@ -85,12 +101,16 @@ Supported operations are Add, Get, and Delete.
<a href="" id="euicc-downloadservers-servername-discoverystate"></a>**_eUICC_/DownloadServers/_ServerName_/DiscoveryState**
Required. Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.
Supported operation is Get. Value type is integer. Default value is 1.
Supported operation is Get.
Value type is integer. Default value is 1.
<a href="" id="euicc-downloadservers-servername-autoenable"></a>**_eUICC_/DownloadServers/_ServerName_/AutoEnable**
Required. Indicates whether the discovered profile must be enabled automatically after install. This setting must be defined by the MDM when the ServerName subtree is created.
Supported operations are Add, Get, and Replace. Value type is bool.
Supported operations are Add, Get, and Replace.
Value type is bool.
<a href="" id="euicc-profiles"></a>**_eUICC_/Profiles**
Interior node. Required. Represents all enterprise-owned profiles.
@ -105,22 +125,30 @@ Supported operations are Add, Get, and Delete.
<a href="" id="euicc-profiles-iccid-servername"></a>**_eUICC_/Profiles/_ICCID_/ServerName**
Required. Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created.
Supported operations are Add and Get. Value type is string.
Supported operations are Add and Get.
Value type is string.
<a href="" id="euicc-profiles-iccid-matchingid"></a>**_eUICC_/Profiles/_ICCID_/MatchingID**
Required. Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created.
Supported operations are Add and Get. Value type is string.
Supported operations are Add and Get.
Value type is string.
<a href="" id="euicc-profiles-iccid-state"></a>**_eUICC_/Profiles/_ICCID_/State**
Required. Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA.
Supported operation is Get. Value type is integer. Default value is 1.
Supported operation is Get.
Value type is integer. Default value is 1.
<a href="" id="euicc-profiles-iccid-isenabled"></a>**_eUICC_/Profiles/_ICCID_/IsEnabled**
Added in Windows 10, version 1803. Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created to enable the profile once its successfully downloaded and installed on the device. Can also be queried and updated by the CSP.
Supported operations are Add, Get, and Replace. Value type is bool.
Supported operations are Add, Get, and Replace.
Value type is bool.
<a href="" id="euicc-policies"></a>**_eUICC_/Policies**
Interior node. Required. Device policies associated with the eUICC as a whole (not per-profile).
@ -130,7 +158,9 @@ Supported operation is Get.
<a href="" id="euicc-policies-localuienabled"></a>**_eUICC_/Policies/LocalUIEnabled**
Required. Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server.
Supported operations are Get and Replace. Value type is boolean. Default value is true.
Supported operations are Get and Replace.
Value type is boolean. Default value is true.
<a href="" id="euicc-actions"></a>**_eUICC_/Actions**
Interior node. Required. Actions that can be performed on the eUICC as a whole (when it's active).
@ -140,9 +170,17 @@ Supported operation is Get.
<a href="" id="euicc-actions-resettofactorystate"></a>**_eUICC_/Actions/ResetToFactoryState**
Required. An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset.
Supported operation is Execute. Value type is string.
Supported operation is Execute.
Value type is string.
<a href="" id="euicc-actions-status"></a>**_eUICC_/Actions/Status**
Required. Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors.
Supported value is Get. Value type is integer. Default is 0.
Supported value is Get.
Value type is integer. Default is 0.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

406
windows/client-management/mdm/firewall-csp.md
View File

@ -5,14 +5,25 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 11/29/2021
author: dansimp
ms.reviewer:
manager: dansimp
---
# Firewall configuration service provider (CSP)
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709.
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709.
@ -101,141 +112,145 @@ Firewall
----------------Status
----------------Name
```
<a href="" id="--vendor-msft-applocker"></a>**./Vendor/MSFT/Firewall**
<p>Root node for the Firewall configuration service provider.</p>
Root node for the Firewall configuration service provider.
<a href="" id="mdmstore"></a>**MdmStore**
<p>Interior node.</p>
<p>Supported operation is Get.</p>
Interior node.
Supported operation is Get.
<a href="" id="global"></a>**MdmStore/Global**
<p>Interior node.</p>
<p>Supported operations are Get. </p>
Interior node.
Supported operations are Get.
<a href="" id="policyversionsupported"></a>**MdmStore/Global/PolicyVersionSupported**
<p>Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value isn't merged and is always a fixed value for a particular firewall and advanced security components software build.</p>
<p>Value type in integer. Supported operation is Get.</p>
Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value isn't merged and is always a fixed value for a particular firewall and advanced security components software build.
Value type in integer. Supported operation is Get.
<a href="" id="currentprofiles"></a>**MdmStore/Global/CurrentProfiles**
<p>Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See <a href="/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc" data-raw-source="[FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc)">FW_PROFILE_TYPE</a> for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it's not merged and has no merge law.</p>
<p>Value type in integer. Supported operation is Get.</p>
Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See <a href="/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc" data-raw-source="[FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc)">FW_PROFILE_TYPE</a> for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it's not merged and has no merge law.
Value type in integer. Supported operation is Get.
<a href="" id="disablestatefulftp"></a>**MdmStore/Global/DisableStatefulFtp**
<p>Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let &quot;true&quot; values win.</p>
<p>Default value is false.</p>
<p>Data type is bool. Supported operations are Add, Get, Replace, and Delete. </p>
Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.
Default value is false.
Data type is bool. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="saidletime"></a>**MdmStore/Global/SaIdleTime**
<p>This value configures the security association idle time, in seconds. Security associations are deleted after network traffic isn't seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.</p>
<p>Default value is 300.</p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
This value configures the security association idle time, in seconds. Security associations are deleted after network traffic isn't seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
Default value is 300.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="presharedkeyencoding"></a>**MdmStore/Global/PresharedKeyEncoding**
<p>Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the <a href="/openspecs/windows_protocols/ms-fasp/b9d24a5e-7755-4c60-adeb-e0c7a718f909" data-raw-source="[PRESHARED_KEY_ENCODING_VALUES enumeration](/openspecs/windows_protocols/ms-fasp/b9d24a5e-7755-4c60-adeb-e0c7a718f909)">PRESHARED_KEY_ENCODING_VALUES enumeration</a>. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.</p>
<p>Default value is 1.</p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the <a href="/openspecs/windows_protocols/ms-fasp/b9d24a5e-7755-4c60-adeb-e0c7a718f909" data-raw-source="[PRESHARED_KEY_ENCODING_VALUES enumeration](/openspecs/windows_protocols/ms-fasp/b9d24a5e-7755-4c60-adeb-e0c7a718f909)">PRESHARED_KEY_ENCODING_VALUES enumeration</a>. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
Default value is 1.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="ipsecexempt"></a>**MdmStore/Global/IPsecExempt**
<p>This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in <a href="/openspecs/windows_protocols/ms-fasp/7daabd9f-74c3-4295-add6-e2402b01b191" data-raw-source="[IPSEC_EXEMPT_VALUES](/openspecs/windows_protocols/ms-fasp/7daabd9f-74c3-4295-add6-e2402b01b191)">IPSEC_EXEMPT_VALUES</a>; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.</p>
<p>Default value is 0.</p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in <a href="/openspecs/windows_protocols/ms-fasp/7daabd9f-74c3-4295-add6-e2402b01b191" data-raw-source="[IPSEC_EXEMPT_VALUES](/openspecs/windows_protocols/ms-fasp/7daabd9f-74c3-4295-add6-e2402b01b191)">IPSEC_EXEMPT_VALUES</a>; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
Default value is 0.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="crlcheck"></a>**MdmStore/Global/CRLcheck**
<p>This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Valid valued:</p>
<ul>
<li>0 disables CRL checking</li>
<li>1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) don't cause certificate validation to fail.</li>
<li>2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing</li>
</ul>
<p>Default value is 0.</p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Valid valued:
- 0 disables CRL checking
- 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) don't cause certificate validation to fail.
- 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing
Default value is 0.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="policyversion"></a>**MdmStore/Global/PolicyVersion**
<p>This value contains the policy version of the policy store being managed. This value isn't merged and therefore, has no merge law.</p>
<p>Value type is string. Supported operation is Get.</p>
This value contains the policy version of the policy store being managed. This value isn't merged and therefore, has no merge law.
Value type is string. Supported operation is Get.
<a href="" id="binaryversionsupported"></a>**MdmStore/Global/BinaryVersionSupported**
<p>This value contains the binary version of the structures and data types that are supported by the server. This value isn't merged. In addition, this value is always a fixed value for a specific firewall and advanced security component&#39;s software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.</p>
<p>Value type is string. Supported operation is Get.</p>
This value contains the binary version of the structures and data types that are supported by the server. This value isn't merged. In addition, this value is always a fixed value for a specific firewall and advanced security component&#39;s software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
Value type is string. Supported operation is Get.
<a href="" id="opportunisticallymatchauthsetperkm"></a>**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM**
<p>This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they don't support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they dont support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
<p>Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they don't support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they dont support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
Boolean value. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="enablepacketqueue"></a>**MdmStore/Global/EnablePacketQueue**
<p>This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:</p>
This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:
<ul>
<li>0x00 indicates that all queuing is to be disabled</li>
<li>0x01 specifies that inbound encrypted packets are to be queued</li>
<li>0x02 specifies that packets are to be queued after decryption is performed for forwarding</li>
</ul>
- 0x00 indicates that all queuing is to be disabled
- 0x01 specifies that inbound encrypted packets are to be queued
- 0x02 specifies that packets are to be queued after decryption is performed for forwarding
<p>Default value is 0.</p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
Default value is 0.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="domainprofile"></a>**MdmStore/DomainProfile**
<p>Interior node. Supported operation is Get.</p>
Interior node. Supported operation is Get.
<a href="" id="privateprofile"></a>**MdmStore/PrivateProfile**
<p>Interior node. Supported operation is Get.</p>
Interior node. Supported operation is Get.
<a href="" id="publicprofile"></a>**MdmStore/PublicProfile**
<p>Interior node. Supported operation is Get.</p>
Interior node. Supported operation is Get.
<a href="" id="enablefirewall"></a>**/EnableFirewall**
<p>Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.</p>
<p>Default value is true.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
Default value is true.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="disablestealthmode"></a>**/DisableStealthMode**
<p>Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.</p>
<p>Default value is false.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
Default value is false.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="shielded"></a>**/Shielded**
<p>Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let &quot;true&quot; values win.</p>
<p>Default value is false.</p>
<p>Value type is bool. Supported operations are Get and Replace.</p>
Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.
Default value is false.
Value type is bool. Supported operations are Get and Replace.
<a href="" id="disableunicastresponsestomulticastbroadcast"></a>**/DisableUnicastResponsesToMulticastBroadcast**
<p>Boolean value. If it's true, unicast responses to multicast broadcast traffic are blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.</p>
<p>Default value is false.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value. If it's true, unicast responses to multicast broadcast traffic are blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
Default value is false.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="disableinboundnotifications"></a>**/DisableInboundNotifications**
<p>Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.</p>
<p>Default value is false.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
Default value is false.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="authappsallowuserprefmerge"></a>**/AuthAppsAllowUserPrefMerge**
<p>Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.</p>
<p>Default value is true.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
Default value is true.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="globalportsallowuserprefmerge"></a>**/GlobalPortsAllowUserPrefMerge**
<p>Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.</p>
<p>Default value is true.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
Default value is true.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="allowlocalpolicymerge"></a>**/AllowLocalPolicyMerge**
<p>Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</p>
<p>Default value is true.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
Default value is true.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="allowlocalipsecpolicymerge"></a>**/AllowLocalIpsecPolicyMerge**
<p>Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</p>
<p>Default value is true.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
Default value is true.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="defaultoutboundaction"></a>**/DefaultOutboundAction**
<p>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it's explicitly specified not to block.</p>
<ul>
<li>0x00000000 - allow</li>
<li>0x00000001 - block</li>
</ul>
<p>Default value is 0 (allow).</p>
<p>Value type is integer. Supported operations are Add, Get and Replace.</p>
This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will allow all outbound traffic unless it's explicitly specified not to allow.
- 0x00000000 - allow
- 0x00000001 - block
Default value is 0 (allow).
Value type is integer. Supported operations are Add, Get and Replace.
Sample syncxml to provision the firewall settings to evaluate
@ -261,163 +276,168 @@ Sample syncxml to provision the firewall settings to evaluate
</SyncML>
```
<a href="" id="defaultinboundaction"></a>**/DefaultInboundAction**
<p>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used.</p>
<ul>
<li>0x00000000 - allow</li>
<li>0x00000001 - block</li>
</ul>
<p>Default value is 1 (block).</p>
<p>Value type is integer. Supported operations are Add, Get and Replace.</p>
This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used.
- 0x00000000 - allow
- 0x00000001 - block
Default value is 1 (block).
Value type is integer. Supported operations are Add, Get and Replace.
<a href="" id="disablestealthmodeipsecsecuredpacketexemption"></a>**/DisableStealthModeIpsecSecuredPacketExemption**
<p>Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall&#39;s stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
<p>Default value is true.</p>
<p>Value type is bool. Supported operations are Add, Get and Replace.</p>
Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall&#39;s stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
Default value is true.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="firewallrules"></a>**FirewallRules**
<p>A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR&#39;ed. Within each rule ID each Filter type is AND&#39;ed.</p>
A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR&#39;ed. Within each rule ID each Filter type is AND&#39;ed.
<a href="" id="firewallrulename"></a>**FirewallRules/_FirewallRuleName_**
<p>Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).</p>
<p>Supported operations are Add, Get, Replace, and Delete.</p>
Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="app"></a>**FirewallRules/_FirewallRuleName_/App**
<p>Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:</p>
<ul>
<li>PackageFamilyName</li>
<li>FilePath</li>
<li>FQBN</li>
<li>ServiceName</li>
</ul>
<p>If not specified, the default is All.</p>
<p>Supported operation is Get.</p>
Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:
- PackageFamilyName
- FilePath
- FQBN
- ServiceName
If not specified, the default is All.
Supported operation is Get.
<a href="" id="packagefamilyname"></a>**FirewallRules/_FirewallRuleName_/App/PackageFamilyName**
<p>This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="filepath"></a>**FirewallRules/_FirewallRuleName_/App/FilePath**
<p>This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="fqbn"></a>**FirewallRules/_FirewallRuleName_/App/Fqbn**
<p>Fully Qualified Binary Name</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Fully Qualified Binary Name
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="servicename"></a>**FirewallRules/_FirewallRuleName_/App/ServiceName**
<p>This parameter is a service name used in cases when a service, not an application, is sending or receiving traffic.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
This parameter is a service name used in cases when a service, not an application, is sending or receiving traffic.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="protocol"></a>**FirewallRules/_FirewallRuleName_/Protocol**
<p>0-255 number representing the ip protocol (TCP = 6, UDP = 17)</p>
<p>If not specified, the default is All.</p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
0-255 number representing the ip protocol (TCP = 6, UDP = 17)
If not specified, the default is All.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="localportranges"></a>**FirewallRules/_FirewallRuleName_/LocalPortRanges**
<p>Comma separated list of ranges. For example, 100-120,200,300-320.</p>
<p>If not specified, the default is All.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Comma separated list of ranges. For example, 100-120,200,300-320.
If not specified, the default is All.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="remoteportranges"></a>**FirewallRules/_FirewallRuleName_/RemotePortRanges**
<p>Comma separated list of ranges, For example, 100-120,200,300-320.</p>
<p>If not specified, the default is All.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Comma separated list of ranges, For example, 100-120,200,300-320.
If not specified, the default is All.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="localaddressranges"></a>**FirewallRules/*FirewallRuleName*/LocalAddressRanges**
<p>Comma-separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:</p>
<ul>
<li>"*" indicates any local address. If present, the local address must be the only token included.</li>
<li>A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.</li>
<li>A valid IPv6 address.</li>
<li>An IPv4 address range in the format of &quot;start address - end address&quot; with no spaces included.</li>
<li>An IPv6 address range in the format of &quot;start address - end address&quot; with no spaces included.</li>
</ul>
<p>If not specified, the default is All.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Comma-separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
- "*" indicates any local address. If present, the local address must be the only token included.
- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.
- A valid IPv6 address.
- An IPv4 address range in the format of &quot;start address - end address&quot; with no spaces included.
- An IPv6 address range in the format of &quot;start address - end address&quot; with no spaces included.
If not specified, the default is All.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="remoteaddressranges"></a>**FirewallRules/*FirewallRuleName*/RemoteAddressRanges**
<p>List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:</p>
<ul>
<li>"*" indicates any remote address. If present, the address must be the only token included.</li>
<li>&quot;Defaultgateway&quot;</li>
<li>&quot;DHCP&quot;</li>
<li>&quot;DNS&quot;</li>
<li>&quot;WINS&quot;</li>
<li>&quot;Intranet&quot;</li>
<li>&quot;RmtIntranet&quot;</li>
<li>&quot;Internet&quot;</li>
<li>&quot;Ply2Renders&quot;</li>
<li>&quot;LocalSubnet&quot; indicates any local address on the local subnet. This token isn't case-sensitive.</li>
<li>A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.</li>
<li>A valid IPv6 address.</li>
<li>An IPv4 address range in the format of &quot;start address - end address&quot; with no spaces included.</li>
<li>An IPv6 address range in the format of &quot;start address - end address&quot; with no spaces included.</li>
</ul>
<p>If not specified, the default is All.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<p>The tokens &quot;Intranet&quot;, &quot;RmtIntranet&quot;, &quot;Internet&quot; and &quot;Ply2Renders&quot; are supported on Windows 10, version 1809, and later.</p>
List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
- "*" indicates any remote address. If present, the address must be the only token included.
- &quot;Defaultgateway&quot;
- &quot;DHCP&quot;
- &quot;DNS&quot;
- &quot;WINS&quot;
- &quot;Intranet&quot;
- &quot;RmtIntranet&quot;
- &quot;Internet&quot;
- &quot;Ply2Renders&quot;
- &quot;LocalSubnet&quot; indicates any local address on the local subnet. This token isn't case-sensitive.
- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
- A valid IPv6 address.
- An IPv4 address range in the format of &quot;start address - end address&quot; with no spaces included.
- An IPv6 address range in the format of &quot;start address - end address&quot; with no spaces included.
If not specified, the default is All.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
The tokens &quot;Intranet&quot;, &quot;RmtIntranet&quot;, &quot;Internet&quot; and &quot;Ply2Renders&quot; are supported on Windows 10, version 1809, and later.
<a href="" id="description"></a>**FirewallRules/_FirewallRuleName_/Description**
<p>Specifies the description of the rule.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Specifies the description of the rule.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="enabled"></a>**FirewallRules/_FirewallRuleName_/Enabled**
<p>Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
<p>If not specified - a new rule is enabled by default.</p>
<p>Boolean value. Supported operations are Get and Replace.</p>
Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
If not specified - a new rule is enabled by default.
Boolean value. Supported operations are Get and Replace.
<a href="" id="profiles"></a>**FirewallRules/_FirewallRuleName_/Profiles**
<p>Specifies the profiles to which the rule belongs: Domain, Private, Public. . See <a href="/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc" data-raw-source="[FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc)">FW_PROFILE_TYPE</a> for the bitmasks that are used to identify profile types.</p>
<p>If not specified, the default is All.</p>
<p>Value type is integer. Supported operations are Get and Replace.</p>
Specifies the profiles to which the rule belongs: Domain, Private, or Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types.
If not specified, the default is All.
Value type is integer. Supported operations are Get and Replace.
<a href="" id="action"></a>**FirewallRules/_FirewallRuleName_/Action**
<p>Specifies the action for the rule.</p>
<p>Supported operation is Get.</p>
Specifies the action for the rule.
Supported operation is Get.
<a href="" id="type"></a>**FirewallRules/_FirewallRuleName_/Action/Type**
<p>Specifies the action the rule enforces. Supported values:</p>
<ul>
<li>0 - Block</li>
<li>1 - Allow</li>
</ul>
<p>If not specified, the default is allow.</p>
<p>Value type is integer. Supported operations are Get and Replace.</p>
Specifies the action the rule enforces. Supported values:
- 0 - Block
- 1 - Allow
If not specified, the default is allow.
Value type is integer. Supported operations are Get and Replace.
<a href="" id="direction"></a>**FirewallRules/_FirewallRuleName_/Direction**
<p>The rule is enabled based on the traffic direction as following. Supported values:</p>
<ul>
<li>IN - the rule applies to inbound traffic.</li>
<li>OUT - the rule applies to outbound traffic.</li>
<li>If not specified, the default is Out.</li>
</ul>
<p>Value type is string. Supported operations are Get and Replace.</p>
The rule is enabled based on the traffic direction as following. Supported values:
- IN - the rule applies to inbound traffic.
- OUT - the rule applies to outbound traffic.
- If not specified, the default is Out.
Value type is string. Supported operations are Get and Replace.
<a href="" id="interfacetypes"></a>**FirewallRules/_FirewallRuleName_/InterfaceTypes**
<p>Comma separated list of interface types. Valid values:</p>
<ul>
<li>RemoteAccess</li>
<li>Wireless</li>
<li>Lan</li>
</ul>
<p>If not specified, the default is All.</p>
<p>Value type is string. Supported operations are Get and Replace.</p>
Comma separated list of interface types. Valid values:
- RemoteAccess
- Wireless
- Lan
If not specified, the default is All.
Value type is string. Supported operations are Get and Replace.
<a href="" id="edgetraversal"></a>**FirewallRules/_FirewallRuleName_/EdgeTraversal**
<p>Indicates whether edge traversal is enabled or disabled for this rule.</p>
<p>The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.</p>
<p>New rules have the EdgeTraversal property disabled by default.</p>
<p>Value type is bool. Supported operations are Add, Get, Replace, and Delete.</p>
Indicates whether edge traversal is enabled or disabled for this rule.
The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
New rules have the EdgeTraversal property disabled by default.
Value type is bool. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="localuserauthorizedlist"></a>**FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList**
<p>Specifies the list of authorized local users for this rule. This list is a string in Security Descriptor Definition Language (SDDL) format.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Specifies the list of authorized local users for this rule. This list is a string in Security Descriptor Definition Language (SDDL) format.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="status"></a>**FirewallRules/_FirewallRuleName_/Status**
<p>Provides information about the specific version of the rule in deployment for monitoring purposes.</p>
<p>Value type is string. Supported operation is Get.</p>
Provides information about the specific version of the rule in deployment for monitoring purposes.
Value type is string. Supported operation is Get.
<a href="" id="name"></a>**FirewallRules/_FirewallRuleName_/Name**
<p>Name of the rule.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Name of the rule.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

117
windows/client-management/mdm/healthattestation-csp.md
View File

@ -14,6 +14,17 @@ ms.date:
# Device HealthAttestation CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions.
The following list is a description of the functions performed by the Device HealthAttestation CSP:
@ -63,6 +74,7 @@ Attestation flow can be broadly in three main steps:
For more information, see [Attestation Protocol](/azure/attestation/virtualization-based-security-protocol).
### Configuration Service Provider Nodes
Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestation service.
```console
@ -249,7 +261,7 @@ calls between client and MAA and for each call the GUID is separated by semicolo
```
> [!NOTE]
> > MAA CSP nodes are available on arm64 but isn't currently supported.
> MAA CSP nodes are available on arm64 but isn't currently supported.
### MAA CSP Integration Steps
@ -574,7 +586,7 @@ Provides the current status of the device health request.
The supported operation is Get.
The following list shows some examples of supported values. For the complete list of status, see <a href="#device-healthattestation-csp-status-and-error-codes" data-raw-source="[Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes)">Device HealthAttestation CSP status and error codes</a>.
The following list shows some examples of supported values. For the complete list of status, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
@ -688,6 +700,7 @@ SSL-Session:
### <a href="" id="assign-trusted-dha-service"></a>Step 2: Assign an enterprise trusted DHA-Service
There are three types of DHA-Service:
- Device Health Attestation Cloud (owned and operated by Microsoft)
- Device Health Attestation On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premises)
- Device Health Attestation - Enterprise-Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise-managed cloud)
@ -738,7 +751,6 @@ The following example shows a sample call that triggers collection and verificat
### <a href="" id="take-action-client-response"></a>Step 4: Take action based on the client's response
After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take.
- If the response is HEALTHATTESTATION\_CERT_RETRIEVAL_COMPLETE (3) then proceed to the next section.
@ -762,11 +774,11 @@ Here's a sample alert that is issued by DHA_CSP:
</Item>
</Alert>
```
- If the response to the status node isn't 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
### <a href="" id="forward-health-attestation"></a>Step 5: Instruct the client to forward health attestation data for verification
Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device.
Here's an example:
@ -823,16 +835,16 @@ When the MDM-Server receives the above data, it must:
- Forward (HTTP Post) the XML data struct (including the nonce that was appended in the previous step) to the assigned DHA-Service that runs on:
- DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3
- DHA-OnPrem or DHA-EMC: https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3
- DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: [https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3](https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3)
- DHA-OnPrem or DHA-EMC: [https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3](https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3)
### <a href="" id="receive-has-response"></a>Step 7: Receive response from the DHA-service
When the Microsoft Device Health Attestation Service receives a request for verification, it performs the following steps:
- Decrypts the encrypted data it receives.
- Validates the data it has received
- Creates a report, and shares the evaluation results to the MDM server via SSL in XML format
- Validates the data it has received.
- Creates a report, and shares the evaluation results to the MDM server via SSL in XML format.
### <a href="" id="take-policy-action"></a>Step 8: Take appropriate policy action based on evaluation results
@ -890,8 +902,8 @@ If AIKPresent = True (1), then allow access.
If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Disallow all access.
- Disallow access to HBI assets.
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
@ -918,14 +930,14 @@ If DEPPolicy = 1 (On), then allow access.
If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Disallow all access.
- Disallow access to HBI assets.
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
<a href="" id="bitlockerstatus"></a>**BitLockerStatus** (at boot time)
When BitLocker is reported &quot;on&quot; at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer isn't tampered with, even if it's left unattended, lost, or stolen.
@ -935,8 +947,8 @@ If BitLockerStatus = 1 (On), then allow access.
If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Disallow all access.
- Disallow access to HBI assets.
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
@ -946,10 +958,10 @@ This attribute indicates the version of the Boot Manager that is running on the
If BootManagerRevListVersion = [CurrentVersion], then allow access.
If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
If `BootManagerRevListVersion !`= [CurrentVersion], then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI and MBI assets
- Disallow all access.
- Disallow access to HBI and MBI assets.
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
@ -959,10 +971,10 @@ This attribute indicates the version of the code that is performing integrity ch
If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
If `CodeIntegrityRevListVersion !`= [CurrentVersion], then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI and MBI assets
- Disallow all access.
- Disallow access to HBI and MBI assets.
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
@ -974,8 +986,8 @@ If SecureBootEnabled = 1 (True), then allow access.
If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Disallow all access.
- Disallow access to HBI assets.
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
@ -985,15 +997,15 @@ Boot debug-enabled points to a device that is used in development and testing. D
Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
- To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off**
- To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on**
- To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off**.
- To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on**.
If BootdebuggingEnabled = 0 (False), then allow access.
If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Disallow all access.
- Disallow access to HBI assets.
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script.
@ -1005,8 +1017,8 @@ If OSKernelDebuggingEnabled = 0 (False), then allow access.
If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Disallow all access.
- Disallow access to HBI assets.
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
@ -1022,8 +1034,8 @@ If CodeIntegrityEnabled = 1 (True), then allow access.
If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Disallow all access.
- Disallow access to HBI assets.
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
@ -1033,15 +1045,15 @@ When test signing is enabled, the device doesn't enforce signature validation du
Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
- To disable boot debugging, type **bcdedit.exe /set {current} testsigning off**
- To enable boot debugging, type **bcdedit.exe /set {current} testsigning on**
- To disable boot debugging, type **bcdedit.exe /set {current} testsigning off**.
- To enable boot debugging, type **bcdedit.exe /set {current} testsigning on**.
If TestSigningEnabled = 0 (False), then allow access.
If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI and MBI assets
- Disallow all access.
- Disallow access to HBI and MBI assets.
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script.
@ -1053,8 +1065,8 @@ If SafeMode = 0 (False), then allow access.
If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Disallow all access.
- Disallow access to HBI assets.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
<a href="" id="winpe"></a>**WinPE**
@ -1067,7 +1079,7 @@ If WinPE = 1 (True), then limit access to remote resources that are required for
<a href="" id="elamdriverloaded"></a>**ELAMDriverLoaded** (Windows Defender)
To use this reporting feature, you must disable &quot;Hybrid Resume&quot; on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot.
@ -1077,8 +1089,8 @@ If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True),
If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Disallow all access.
- Disallow access to HBI assets.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
**Bcdedit.exe /set {current} vsmlaunchtype auto**
@ -1087,8 +1099,8 @@ If ELAMDriverLoaded = 1 (True), then allow access.
If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Disallow all access.
- Disallow access to HBI assets.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
<a href="" id="vsmenabled"></a>**VSMEnabled**
@ -1102,8 +1114,8 @@ VSM can be enabled by using the following command in WMI or a PowerShell script:
If VSMEnabled = 1 (True), then allow access.
If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Disallow all access.
- Disallow access to HBI assets.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue
<a href="" id="pcrhashalgorithmid"></a>**PCRHashAlgorithmID**
@ -1118,7 +1130,7 @@ If reported BootAppSVN equals an accepted value, then allow access.
If reported BootAppSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow all access.
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
<a href="" id="bootmanagersvn"></a>**BootManagerSVN**
@ -1129,7 +1141,7 @@ If reported BootManagerSVN equals an accepted value, then allow access.
If reported BootManagerSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow all access.
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
<a href="" id="tpmversion"></a>**TPMVersion**
@ -1153,12 +1165,11 @@ The measurement that is captured in PCR[0] typically represents a consistent vie
Enterprise managers can create an allowlist of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allowlist, and then make a trust decision based on the result of the comparison.
If your enterprise doesn't have an allowlist of accepted PCR[0] values, then take no action.
If PCR[0] equals an accepted allowlist value, then allow access.
If PCR[0] doesn't equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow all access.
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
<a href="" id="sbcphash"></a>**SBCPHash**
@ -1169,7 +1180,7 @@ If SBCPHash isn't present, or is an accepted allow-listed value, then allow acce
If SBCPHash is present in DHA-Report, and isn't an allowlisted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow all access.
- Place the device in a watch list to monitor the device more closely for potential risks.
<a href="" id="cipolicy"></a>**CIPolicy**
@ -1180,7 +1191,7 @@ If CIPolicy isn't present, or is an accepted allow-listed value, then allow acce
If CIPolicy is present and isn't an allow-listed value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow all access.
- Place the device in a watch list to monitor the device more closely for potential risks.
<a href="" id="bootrevlistinfo"></a>**BootRevListInfo**
@ -1191,7 +1202,7 @@ If reported BootRevListInfo version equals an accepted value, then allow access.
If reported BootRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow all access.
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
<a href="" id="osrevlistinfo"></a>**OSRevListInfo**
@ -1202,7 +1213,7 @@ If reported OSRevListInfo version equals an accepted value, then allow access.
If reported OSRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow all access.
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
<a href="" id="healthstatusmismatchflags"></a>**HealthStatusMismatchFlags**

BIN
windows/client-management/mdm/images/configlock-mem-firmwareprotect.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 20 KiB

12
windows/client-management/mdm/implement-server-side-mobile-application-management.md
View File

@ -80,17 +80,17 @@ Since the [Poll](dmclient-csp.md#provider-providerid-poll) node isnt provided
MAM on Windows supports the following configuration service providers (CSPs). All other CSPs will be blocked. Note the list may change later based on customer feedback:
- [AppLocker CSP](applocker-csp.md) for configuration of WIP enterprise allowed apps.
- [AppLocker CSP](applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps.
- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.
- [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
- [DevInfo CSP](devinfo-csp.md).
- [DMAcc CSP](dmacc-csp.md).
- [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL.
- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has WIP policies.
- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has Windows Information Protection policies.
- [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
- [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management.
- [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas.
- [Reporting CSP](reporting-csp.md) for retrieving WIP logs.
- [Reporting CSP](reporting-csp.md) for retrieving Windows Information Protection logs.
- [RootCaTrustedCertificates CSP](rootcacertificates-csp.md).
- [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
@ -116,13 +116,13 @@ MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to
Windows doesn't support applying both MAM and MDM policies to the same devices. If configured by the admin, users can change their MAM enrollment to MDM.
> [!NOTE]
> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On Windows Home edition, we don't recommend pushing MDM policies to enable users to upgrade.
> When users upgrade from MAM to MDM on Windows Home edition, they lose access to Windows Information Protection. On Windows Home edition, we don't recommend pushing MDM policies to enable users to upgrade.
To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment.
In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when WIP policies are removed from the device, the users access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that:
In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when Windows Information Protection policies are removed from the device, the users access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that:
- Both MAM and MDM policies for the organization support WIP.
- Both MAM and MDM policies for the organization support Windows Information Protection.
- EDP CSP Enterprise ID is the same for both MAM and MDM.
- EDP CSP RevokeOnMDMHandoff is set to false.

30
windows/client-management/mdm/index.md
View File

@ -1,28 +1,28 @@
---
title: Mobile device management
description: Windows 10 and Windows 11 provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy
description: Windows 10 and Windows 11 provide an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy.
MS-HAID:
- 'p\_phDeviceMgmt.provisioning\_and\_device\_management'
- 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm'
ms.assetid: 50ac90a7-713e-4487-9cb9-b6d6fdaa4e5b
ms.author: dansimp
ms.topic: article
ms.topic: overview
ms.prod: w10
ms.technology: windows
author: dansimp
author: aczechowski
ms.author: aaroncz
ms.collection: highpri
ms.date: 06/03/2022
---
# Mobile device management
Windows 10 and Windows 11 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server.
Windows 10 and Windows 11 provide an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server.
There are two parts to the Windows management component:
There are two parts to the Windows management component:
- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.
Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers don't need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers don't need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
## MDM security baseline
@ -37,7 +37,7 @@ The MDM security baseline includes policies that cover the following areas:
- Legacy technology policies that offer alternative solutions with modern technology
- And much more
For more details about the MDM policies defined in the MDM security baseline and what Microsoft's recommended baseline policy values are, see:
For more information about the MDM policies defined in the MDM security baseline and what Microsoft's recommended baseline policy values are, see:
- [MDM Security baseline for Windows 11](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/Windows11-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 2004](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/2004-MDM-SecurityBaseLine-Document.zip)
@ -48,16 +48,8 @@ For more details about the MDM policies defined in the MDM security baseline and
For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
<span id="mmat" />
## Learn about migrating to MDM
When an organization wants to move to MDM to manage devices, they should prepare by analyzing their current Group Policy settings to see what they need to transition to MDM management. Microsoft created the [MDM Migration Analysis Tool](https://aka.ms/mmat/) (MMAT) to help. MMAT determines which Group Policies have been set for a target user or computer and then generates a report that lists the level of support for each policy setting in MDM equivalents. For more information, see [MMAT Instructions](https://github.com/WindowsDeviceManagement/MMAT/blob/master/MDM%20Migration%20Analysis%20Tool%20Instructions.pdf).
## Learn about device enrollment
- [Mobile device enrollment](mobile-device-enrollment.md)
- [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
@ -65,7 +57,6 @@ When an organization wants to move to MDM to manage devices, they should prepare
## Learn about device management
- [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
- [Enterprise app management](enterprise-app-management.md)
- [Mobile device management (MDM) for device updates](device-update-management.md)
@ -77,8 +68,7 @@ When an organization wants to move to MDM to manage devices, they should prepare
## Learn about configuration service providers
- [Configuration service provider reference](configuration-service-provider-reference.md)
- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md)
- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal)

113
windows/client-management/mdm/messaging-csp.md
View File

@ -1,113 +0,0 @@
---
title: Messaging CSP
description: Use the Messaging configuration service provider (CSP) to configure the ability to get text messages audited on a mobile device.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
ms.reviewer:
manager: dansimp
---
# Messaging CSP
The Messaging configuration service provider is used to configure the ability to get text messages audited on a mobile device. This CSP was added in Windows 10, version 1703.
The following shows the Messaging configuration service provider in tree format.
```console
./User/Vendor/MSFT
Messaging
----AuditingLevel
----Auditing
--------Messages
----------Count
----------RevisionId
----------Data
```
<a href="" id="--user-msft-applocker"></a>**./User/Vendor/MSFT/Messaging**
<p>Root node for the Messaging configuration service provider.</p>
<a href="" id="auditinglevel"></a>**AuditingLevel**
<p>Turns on the &quot;Text&quot; auditing feature.</p>
<p>The following list shows the supported values:</p>
<ul>
<li>0 (Default) - Off</li>
<li>1 - On</li>
</ul>
<p>Supported operations are Get and Replace.</p>
<a href="" id="auditing"></a>**Auditing**
<p>Node for auditing.</p>
<p>Supported operation is Get.</p>
<a href="" id="messages"></a>**Messages**
<p>Node for messages.</p>
<p>Supported operation is Get.</p>
<a href="" id="count"></a>**Count**
<p>The number of messages to return in the Data setting. The default is 100.</p>
<p>Supported operations are Get and Replace.</p>
<a href="" id="revisionid"></a>**RevisionId**
<p>Retrieves messages whose revision ID is greater than RevisionId.</p>
<p>Supported operations are Get and Replace.</p>
<a href="" id="data"></a>**Data**
<p>The JSON string of text messages on the device.</p>
<p>Supported operations are Get and Replace.</p>
**SyncML example**
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>
./User/Vendor/MSFT/Messaging/Auditing/Messages/Count
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>100</Data>
</Item>
</Replace>
<Replace>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>
./User/Vendor/MSFT/Messaging/Auditing/Messages/RevisionId
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>0</Data>
</Item>
</Replace>
<Get>
<CmdID>4</CmdID>
<Item>
<Target>
<LocURI>
./User/Vendor/MSFT/Messaging/Auditing/Messages/Data
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```

182
windows/client-management/mdm/messaging-ddf.md
View File

@ -1,182 +0,0 @@
---
title: Messaging DDF file
description: Utilize the OMA DM device description framework (DDF) for the Messaging configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/05/2017
ms.reviewer:
manager: dansimp
---
# Messaging DDF file
This topic shows the OMA DM device description framework (DDF) for the Messaging configuration service provider. This CSP was added in Windows 10, version 1703.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>Messaging</NodeName>
<Path>./User/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>AuditingLevel</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Turns on the 'Text' auditing feature. 0 = off, 1 = on</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Auditing</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Messages</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Count</NodeName>
<DFProperties>
<AccessType>
<Replace />
<Get />
</AccessType>
<DefaultValue>100</DefaultValue>
<Description>Number of messages to return in the 'Data' element</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RevisionId</NodeName>
<DFProperties>
<AccessType>
<Replace />
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Retrieves messages whose revision id is greater than the 'RevisionId'</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Data</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>JSON string of 'text' messages on the device</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```

10
windows/client-management/mdm/multisim-csp.md
View File

@ -13,6 +13,16 @@ manager: dansimp
# MultiSIM CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The MultiSIM configuration service provider (CSP) is used by the enterprise to manage devices with dual SIM single active configuration. An enterprise can set policies on whether that user can switch between SIM slots, specify which slot is the default, and whether the slot is embedded. This CSP was added in Windows 10, version 1803.

18
windows/client-management/mdm/nap-csp.md
View File

@ -14,6 +14,17 @@ ms.date: 06/26/2017
# NAP CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The NAP (Network Access Point) Configuration Service Provider is used to manage and query GPRS and CDMA connections.
> [!Note]
@ -67,7 +78,7 @@ Root node.
<a href="" id="napx"></a>***NAPX***
Required. Defines the name of the network access point.
It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead).
It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), however, no spaces may appear in the name (use %20 instead).
<a href="" id="napx-napid"></a>***NAPX*/NAPID**
Required. Specifies the identifier of the destination network.
@ -97,7 +108,7 @@ The following table shows some commonly used ADDRTYPE values and the types of co
Optional node. Specifies the authentication information, including the protocol, user name, and password.
<a href="" id="napx-authinfo-authtype"></a>***NAPX*/AuthInfo/AuthType**
Optional. Specifies the method of authentication. Some supported protocols are PAP, CHAP, HTTP-BASIC, HTTP-DIGEST, WTLS-SS, MD5.
Optional. Specifies the method of authentication. Some supported protocols are PAP, CHAP, HTTP-BASIC, HTTP-DIGEST, WTLS-SS, and MD5.
<a href="" id="napx-authinfo-authname"></a>***NAPX*/AuthInfo/AuthName**
Optional. Specifies the user name and domain to be used during authentication. This field is in the form *Domain*\\*UserName*.
@ -111,7 +122,8 @@ Queries of this field will return a string composed of 16 asterisks (\*).
Node.
<a href="" id="napx-bearer-bearertype"></a>***NAPX*/Bearer/BearerType**
Required. Specifies the network type of the destination network. This parameter's value can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, WiFi.
Required. Specifies the network type of the destination network. This can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, and Wi-Fi.
## Related articles

15
windows/client-management/mdm/napdef-csp.md
View File

@ -14,7 +14,18 @@ ms.date: 06/26/2017
# NAPDEF CSP
The NAPDEF configuration service provider is used to add, modify, or delete WAP network access points (NAPs). For complete information about these settings, see the standard WAP specification WAP-183-ProvCont-20010724-a.
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The NAPDEF configuration service provider is used to add, modify, or delete WAP Network Access Points (NAPs). For complete information about these settings, see the standard WAP specification WAP-183-ProvCont-20010724-a.
> [!Note]
> You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list.
@ -71,7 +82,7 @@ A query of this parameter returns asterisks (\*) in the results.
<a href="" id="authtype"></a>**AUTHTYPE**
Specifies the protocol used to authenticate the user.
The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols. Note
The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols.
> [!Note]
> **AuthName** and **AuthSecret** are not created if **AuthType** isn't included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** isn't included in the provisioning XML used to make the change.

13
windows/client-management/mdm/networkproxy-csp.md
View File

@ -13,11 +13,22 @@ manager: dansimp
# NetworkProxy CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. These settings do not apply to VPN connections. This CSP was added in Windows 10, version 1703.
How the settings work:
- If auto-detect is enabled, the system tries to find the path to a proxy auto config (PAC) script and download it.
- If auto-detect is enabled, the system tries to find the path to a Proxy Auto Config (PAC) script and download it.
- If #1 fails and a setup script is specified, the system tries to download the explicitly configured PAC script.
- If #2 fails and a proxy server is specified, the system tries to use the explicitly configured proxy server.
- Otherwise, the system tries to reach the site directly.

15
windows/client-management/mdm/networkqospolicy-csp.md
View File

@ -13,6 +13,17 @@ manager: dansimp
# NetworkQoSPolicy CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The NetworkQoSPolicy configuration service provider creates network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions. This CSP was added in Windows 10, version 1703.
The following conditions are supported:
@ -71,7 +82,7 @@ NetworkQoSPolicy
<p>The supported operations are Add, Get, Delete, and Replace.
<a href="" id="name-apppathnamematchcondition"></a>***Name*/AppPathNameMatchCondition**
<p>Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe.
<p>Specifies the name of an application to be used to match the network traffic, such as `application.exe` or `%ProgramFiles%\application.exe`.
<p>The data type is char.
@ -111,7 +122,7 @@ NetworkQoSPolicy
<p>The supported operations are Add, Get, Delete, and Replace.
<a href="" id="name-dscpaction"></a>***Name*/DSCPAction**
<p>The differentiated services code point (DSCP) value to apply to matching network traffic.
<p>The Differentiated Services Code Point (DSCP) value to apply to matching network traffic.
<p>Valid values are 0-63.

19
windows/client-management/mdm/nodecache-csp.md
View File

@ -14,6 +14,16 @@ ms.date: 06/26/2017
# NodeCache CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The NodeCache configuration service provider is used to manage the client cache. This configuration service provider is to be used only by enterprise management servers. It provides a level of abstraction that decouples the management of the node list from a specific backing store. It synchronizes the client cache with the server side cache. It also provides an API for monitoring device-side cache changes.
@ -72,7 +82,7 @@ NodeCache
Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This parameter's value is a predefined MIME type to identify this managed object in OMA DM syntax.
<a href="" id="providerid"></a>***ProviderID***
Optional. Group settings per DM server. Each group of settings is distinguished by the servers Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one *ProviderID* node under **NodeCache**. Scope is dynamic.
Optional. Group settings per DM server. Each group of settings is distinguished by the servers Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one **ProviderID** node under **NodeCache**. Scope is dynamic.
Supported operations are Get, Add, and Delete.
@ -383,10 +393,11 @@ It represents this example:
<Node Id="20" Uri="./DevDetail/Ext/Microsoft/DeviceName">U09NRU5FV1ZBTFVF</Node>
</Nodes>
```
Id is the node Id that was added by the MDM server, and Uri is the path that the node is tracking.
If a Uri isn't set, the node will always be reported as changed, as in Node Id 10.
The value inside of the node tag is the actual value returned by the Uri, which means that for Node Id 20 the DeviceName didn't match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously.
Id is the node ID that was added by the MDM server, and Uri is the path that the node is tracking.
If a Uri is not set, the node will always be reported as changed, as in Node ID 10.
The value inside of the node tag is the actual value returned by the Uri, which means that for Node ID 20 the DeviceName did not match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously.
## Related topics

10
windows/client-management/mdm/office-csp.md
View File

@ -13,6 +13,16 @@ manager: dansimp
# Office CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](/intune/apps-add-office365).

14
windows/client-management/mdm/passportforwork-csp.md
View File

@ -14,7 +14,19 @@ ms.date: 07/19/2019
# PassportForWork CSP
The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to sign in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
> [!IMPORTANT]
> Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.

11
windows/client-management/mdm/personalization-csp.md
View File

@ -13,6 +13,17 @@ manager: dansimp
# Personalization CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The Personalization CSP can set the lock screen and desktop background images. Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package.
This CSP was added in Windows 10, version 1703.

31
windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
View File

@ -9,7 +9,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 03/01/2022
ms.date: 06/06/2022
---
# Policies in Policy CSP supported by HoloLens 2
@ -50,11 +50,15 @@ ms.date: 03/01/2022
- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength)
- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana)
- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment)
- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) <sup>9</sup>
- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) <sup>10</sup>
- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) <sup>11</sup>
- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) <sup>9</sup>
- [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#mixedreality-configuremovingplatform) <sup>*[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update)</sup>
- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) <sup>9</sup>
- [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#mixedreality-headtrackingmode) <sup>9</sup>
- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) <sup>9</sup>
- [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#mixedreality-visitorautologon) <sup>10</sup>
- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) <sup>9</sup>
- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) <sup>9</sup>
- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) <sup>9</sup>
@ -102,13 +106,13 @@ ms.date: 03/01/2022
- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) <sup>9</sup>
- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
- [Update/AutoRestartNotificationSchedule](policy-csp-update.md#update-autorestartnotificationschedule) <sup>10</sup>
- [Update/AutoRestartRequiredNotificationDismissal](policy-csp-update.md#update-autorestartrequirednotificationdismissal) <sup>10</sup>
- [Update/AutoRestartNotificationSchedule](policy-csp-update.md#update-autorestartnotificationschedule) <sup>11</sup>
- [Update/AutoRestartRequiredNotificationDismissal](policy-csp-update.md#update-autorestartrequirednotificationdismissal) <sup>11</sup>
- [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel)
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) <sup>10</sup>
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) <sup>10</sup>
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) <sup>10</sup>
- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) <sup>10</sup>
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) <sup>11</sup>
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) <sup>11</sup>
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) <sup>11</sup>
- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) <sup>11</sup>
- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#update-deferfeatureupdatesperiodindays)
- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#update-deferqualityupdatesperiodindays)
- [Update/ManagePreviewBuilds](policy-csp-update.md#update-managepreviewbuilds)
@ -116,10 +120,10 @@ ms.date: 03/01/2022
- [Update/PauseQualityUpdates](policy-csp-update.md#update-pausequalityupdates)
- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday)
- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime)
- [Update/ScheduleImminentRestartWarning](policy-csp-update.md#update-scheduleimminentrestartwarning) <sup>10</sup>
- [Update/ScheduleRestartWarning](policy-csp-update.md#update-schedulerestartwarning) <sup>10</sup>
- [Update/ScheduleImminentRestartWarning](policy-csp-update.md#update-scheduleimminentrestartwarning) <sup>11</sup>
- [Update/ScheduleRestartWarning](policy-csp-update.md#update-schedulerestartwarning) <sup>11</sup>
- [Update/SetDisablePauseUXAccess](policy-csp-update.md#update-setdisablepauseuxaccess)
- [Update/UpdateNotificationLevel](policy-csp-update.md#update-updatenotificationlevel) <sup>10</sup>
- [Update/UpdateNotificationLevel](policy-csp-update.md#update-updatenotificationlevel) <sup>11</sup>
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) <sup>8</sup>
@ -133,8 +137,9 @@ Footnotes:
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
- 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2)
- 10 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2)
- 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes-2004#windows-holographic-version-20h2)
- 10 - Available in [Windows Holographic, version 21H1](/hololens/hololens-release-notes#windows-holographic-version-21h1)
- 11 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2)
## Related topics

1
windows/client-management/mdm/policy-csp-abovelock.md
View File

@ -41,6 +41,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

100
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -31,6 +31,12 @@ manager: dansimp
<dd>
<a href="#accounts-allowmicrosoftaccountsigninassistant">Accounts/AllowMicrosoftAccountSignInAssistant</a>
</dd>
<dd>
<a href="#accounts-domainnamesforemailsync">Accounts/DomainNamesForEmailSync</a>
</dd>
<dd>
<a href="#accounts-restricttoenterprisedeviceauthenticationonly">Accounts/RestrictToEnterpriseDeviceAuthenticationOnly</a>
</dd>
</dl>
@ -45,6 +51,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -61,12 +68,12 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
Specifies whether user is allowed to add non-MSA email accounts.
Specifies whether user is allowed to add email accounts other than Microsoft account.
Most restricted value is 0.
> [!NOTE]
> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md).
> This policy will only block UI/UX-based methods for adding non-Microsoft accounts.
<!--/Description-->
<!--SupportedValues-->
@ -89,6 +96,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -106,7 +114,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
Specifies whether the user is allowed to use a Microsoft account for non-email related connection authentication and services.
Most restricted value is 0.
@ -131,6 +139,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -151,10 +160,10 @@ The following list shows the supported values:
Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
> [!NOTE]
> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
> If the Microsoft account service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
> [!NOTE]
> If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app.
> If the Microsoft account service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the Microsoft account ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app.
<!--/Description-->
<!--SupportedValues-->
@ -168,9 +177,90 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="accounts-domainnamesforemailsync"></a>**Accounts/DomainNamesForEmailSync**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="accounts-restricttoenterprisedeviceauthenticationonly"></a>**Accounts/RestrictToEnterpriseDeviceAuthenticationOnly**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 11, version 22H2. This setting determines whether to only allow enterprise device authentication for the Microsoft Account Sign-in Assistant service (wlidsvc). By default, this setting is disabled and allows both user and device authentication. When the value is set to 1, we only allow device authentication and block user authentication.
Most restricted value is 1.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) - Allow both device and user authentication.
- 1 - Only allow device authentication. Block user authentication.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--/Policies-->
<!--/Policies-->
## Related topics
[Policy CSP](policy-configuration-service-provider.md)

1
windows/client-management/mdm/policy-csp-activexcontrols.md
View File

@ -45,6 +45,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

1
windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
View File

@ -45,6 +45,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

52
windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
View File

@ -129,10 +129,11 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|||
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|||
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -186,8 +187,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -244,8 +246,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -303,8 +306,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -358,8 +362,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -413,8 +418,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -469,8 +475,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -524,8 +531,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -582,8 +590,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -639,8 +648,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

4
windows/client-management/mdm/policy-csp-admx-admpwd.md
View File

@ -54,6 +54,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -96,6 +97,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -141,6 +143,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -186,6 +189,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

45
windows/client-management/mdm/policy-csp-admx-appcompat.md
View File

@ -76,8 +76,9 @@ manager: dansimp
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -129,8 +130,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -176,8 +178,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -227,8 +230,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -278,8 +282,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -332,8 +337,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -375,8 +381,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -425,8 +432,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -474,8 +482,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

5
windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
View File

@ -43,8 +43,9 @@ manager: dansimp
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

20
windows/client-management/mdm/policy-csp-admx-appxruntime.md
View File

@ -52,8 +52,9 @@ manager: dansimp
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -98,8 +99,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -144,8 +146,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -192,8 +195,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

25
windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
View File

@ -55,8 +55,9 @@ manager: dansimp
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -106,8 +107,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes
@ -157,8 +159,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -204,8 +207,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@ -251,8 +255,9 @@ ADMX Info:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

5
windows/client-management/mdm/policy-csp-admx-auditsettings.md
View File

@ -43,8 +43,9 @@ manager: dansimp
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

Some files were not shown because too many files have changed in this diff Show More