diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 4a67054982..ab57f2990f 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6635,6 +6635,86 @@ "redirect_url": "/education/windows/switch-to-pro-education", "redirect_document_id": false }, + { + "source_path": "windows/client-management/administrative-tools-in-windows-10.md", + "redirect_url": "/windows/client-management/client-tools/administrative-tools-in-windows", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/change-default-removal-policy-external-storage-media.md", + "redirect_url": "/windows/client-management/client-tools/change-default-removal-policy-external-storage-media", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/connect-to-remote-aadj-pc.md", + "redirect_url": "/windows/client-management/client-tools/connect-to-remote-aadj-pc", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/group-policies-for-enterprise-and-education-editions.md", + "redirect_url": "https://www.microsoft.com/en-us/search/explore?q=Group+Policy+Settings+Reference+Spreadsheet", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/manage-device-installation-with-group-policy.md", + "redirect_url": "/windows/client-management/client-tools/manage-device-installation-with-group-policy", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/manage-settings-app-with-group-policy.md", + "redirect_url": "/windows/client-management/client-tools/manage-settings-app-with-group-policy", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/mandatory-user-profile.md", + "redirect_url": "/windows/client-management/client-tools/mandatory-user-profile", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/new-policies-for-windows-10.md", + "redirect_url": "https://www.microsoft.com/en-us/search/explore?q=Group+Policy+Settings+Reference+Spreadsheet", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/quick-assist.md", + "redirect_url": "/windows/client-management/client-tools/quick-assist", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/windows-libraries.md", + "redirect_url": "/windows/client-management/client-tools/windows-libraries", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/windows-version-search.md", + "redirect_url": "/windows/client-management/client-tools/windows-version-search", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/manage-corporate-devices.md", + "redirect_url": "/windows/client-management/manage-windows-10-in-your-organization-modern-management", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md", + "redirect_url": "/azure/active-directory/fundamentals/active-directory-access-create-new-tenant", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/register-your-free-azure-active-directory-subscription.md", + "redirect_url": "/microsoft-365/compliance/use-your-free-azure-ad-subscription-in-office-365", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/appv-deploy-and-config.md", + "redirect_url": "/windows/application-management/app-v/appv-for-windows", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/diagnose-mdm-failures-in-windows-10.md", + "redirect_url": "/windows/client-management/mdm-collect-logs", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policy-admx-backed.md", "redirect_url": "/windows/client-management/mdm/policy-configuration-service-provider", @@ -19772,7 +19852,7 @@ }, { "source_path": "windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md", - "redirect_url": "/windows/client-management/diagnose-mdm-failures-in-windows-10", + "redirect_url": "/windows/client-management/mdm-collect-logs", "redirect_document_id": false }, { @@ -20734,7 +20814,7 @@ "source_path": "windows/deployment/update/quality-updates.md", "redirect_url": "/windows/deployment/update/release-cycle", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md", "redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy", diff --git a/windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md deleted file mode 100644 index 160a97cca0..0000000000 --- a/windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md +++ /dev/null @@ -1,99 +0,0 @@ ---- -title: Add an Azure AD tenant and Azure AD subscription -description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 ---- - -# Add an Azure AD tenant and Azure AD subscription - -Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription. - -> **Note**  If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. For step-by-step guide to register this free subscription, see [Register your free Azure Active Directory subscription.](#register-your-free-azure-active-directory-subscription) - - -1. Sign up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization. - - ![sign up for azure ad tenant.](images/azure-ad-add-tenant1.png) - -2. Enter the information for your organization. Select **check availability** to verify that domain name that you selected is available. - - ![sign up for azure ad.](images/azure-ad-add-tenant2.png) - -3. Complete the login and country information. Enter a valid phone number, then select **Send text message** or **Call me**. - - ![create azure account.](images/azure-ad-add-tenant3.png) - -4. Enter the code that you receive and then select **Verify code**. After the code is verified and the continue button turns green, select **continue**. - - ![add aad tenant.](images/azure-ad-add-tenant3-b.png) - -5. After you finish creating your Azure account, you can add an Azure AD subscription. - - If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to the Office 356 portal at https://portal.office.com/, and then sign in using the admin account that you created in Step 4 (for example, user1@contosoltd.onmicrosoftcom). - - ![login to office 365](images/azure-ad-add-tenant4.png) - -6. Select **Install software**. - - ![login to office 365 portal](images/azure-ad-add-tenant5.png) - -7. In the Microsoft 365 admin center, select **Purchase Services** from the left navigation. - - ![purchase service option in admin center menu.](images/azure-ad-add-tenant6.png) - -8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then select to purchase. - - ![azure active directory option in purchase services page.](images/azure-ad-add-tenant7.png) - -9. Continue with your purchase. - - ![azure active directory premium payment page.](images/azure-ad-add-tenant8.png) - -10. After the purchase is completed, you can log on to your Office 365 Admin Portal and you'll see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint and Exchange). - - ![admin center left navigation menu.](images/azure-ad-add-tenant9.png) - - When you choose Azure AD, it will take you to the Azure AD portal where you can manage your Azure AD applications. - -## Register your free Azure Active Directory subscription - -If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. Here's a step-by-step guide to register your free Azure AD subscription using an Office 365 Premium Business subscription. - -1. Sign in to the Microsoft 365 admin center at using your organization's account. - - ![register in azuread.](images/azure-ad-add-tenant10.png) - -2. On the **Home** page, select on the Admin tools icon. - - ![register in azure-ad.](images/azure-ad-add-tenant11.png) - -3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This option will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information. - - ![register azuread](images/azure-ad-add-tenant12.png) - -4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**. - - ![registration in azure-ad](images/azure-ad-add-tenant13.png) - -5. It may take a few minutes to process the request. - - ![registration in azuread.](images/azure-ad-add-tenant14.png) - -6. You'll see a welcome page when the process completes. - - ![register screen of azuread](images/azure-ad-add-tenant15.png) - - - - - - - - diff --git a/windows/client-management/appv-deploy-and-config.md b/windows/client-management/appv-deploy-and-config.md deleted file mode 100644 index f0c9843f27..0000000000 --- a/windows/client-management/appv-deploy-and-config.md +++ /dev/null @@ -1,485 +0,0 @@ ---- -title: Deploy and configure App-V apps using MDM -description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Intune or App-V server. -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 -ms.reviewer: -manager: aaroncz ---- - -# Deploy and configure App-V apps using MDM - -## Executive summary - -

Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.

- -

MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.

- -### EnterpriseAppVManagement CSP node structure - -[EnterpriseAppVManagement CSP reference](mdm/enterpriseappvmanagement-csp.md) - -The following example shows the EnterpriseAppVManagement configuration service provider in tree format. - -```console -./Vendor/MSFT -EnterpriseAppVManagement -----AppVPackageManagement ---------EnterpriseID -------------PackageFamilyName ----------------PackageFullName -------------------Name -------------------Version -------------------Publisher -------------------InstallLocation -------------------InstallDate -------------------Users -------------------AppVPackageID -------------------AppVVersionId -------------------AppVPackageUri -----AppVPublishing ---------LastSync -------------LastError -------------LastErrorDescription -------------SyncStatusDescription -------------SyncProgress ---------Sync -------------PublishXML -----AppVDynamicPolicy ---------ConfigurationId -------------Policy -``` - -

(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following subnodes.

- -

AppVPublishing - An exec action node that contains the App-V publishing configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.

- -- EnterpriseAppVManagement - - AppVPackageManagement - - **AppVPublishing** - - LastSync - - LastError - - LastErrorDescription - - SyncStatusDescription - - SyncProgress - - Sync - - PublishXML - - AppVDynamicPolicy - -

Sync command:

- -[App-V Sync protocol reference](https://msdn.microsoft.com/enus/library/mt739986.aspx) - -

AppVDynamicPolicy - A read/write node that contains the App-V dynamic configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.

- -- EnterpriseAppVManagement - - AppVPackageManagement - - AppVPublishing - - **AppVDynamicPolicy** - - [ConfigurationId] - - Policy - -

Dynamic policy examples:

- -[Dynamic configuration processing](/windows/application-management/app-v/appv-application-publishing-and-client-interaction#dynamic-configuration-processing) - -

AppVPackageManagement - Primarily read-only App-V package inventory data for MDM servers to query current packages.

- -- EnterpriseAppVManagement - - **AppVPackageManagement** - - [EnterpriseID] - - [PackageFamilyName] - - [PackageFullName] - - Name - - Version - - Publisher - - InstallLocation - - InstallDate - - Users - - AppVPackageID - - AppVVersionId - - AppVPackageUri - - AppVPublishing - - AppVDynamicPolicy - -

The examples in the scenarios section demonstrate how the publishing document should be created to successfully publish packages, dynamic policies, and connection groups.

- -## Scenarios addressed in App-V MDM functionality - -

All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premises App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.

- -

A complete list of App-V policies can be found here:

- -[ADMX-backed policy reference](mdm/policy-configuration-service-provider.md) - -[EnterpriseAppVManagement CSP reference](mdm/enterpriseappvmanagement-csp.md) - -### SyncML examples - -

The following SyncML examples address specific App-V client scenarios.

- -#### Enable App-V client - -

This example shows how to enable App-V on the device.

- -```xml - - $CmdID$ - - - chr - text/plain - - - ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppvClient - - - - -``` - -#### Configure App-V client - -

This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts helps package deployments (add and publish of App-V apps).

- -```xml - - $CmdID$ - - - chr - text/plain - - - ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts - - - - -``` - -

Complete list of App-V policies can be found here:

- -[Policy CSP](mdm/policy-configuration-service-provider.md) - -#### SyncML with package published for a device (global to all users for that device) - -

This SyncML example shows how to publish a package globally on an MDM enrolled device for all device users.

- -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L - - - xml - text/plain - - - - - - - - - - - - - -``` - -

*PackageUrl can be a UNC or HTTP/HTTPS endpoint.

- -#### SyncML with package (with dynamic configuration policy) published for a device (global to all users on that device) - -

This SyncML example shows how to publish a package globally, with a policy that adds two shortcuts for the package, on an MDM enrolled device.

- -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/38/Policy - - - xml - text/plain - - - - - - - - - - - [{ThisPCDesktopFolder}]\Skype_FromMDM.lnk - [{ProgramFilesX86}]\Skype\Phone\Skype.exe - [{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico - - [{ProgramFilesX86}]\Skype\ - Skype.Desktop.Application - Launch Skype - 1 - [{ProgramFilesX86}]\Skype\Phone\Skype.exe - - - - - [{Common Desktop}]\Skype_FromMDMAlso.lnk - [{ProgramFilesX86}]\Skype\Phone\Skype.exe - [{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico - - [{ProgramFilesX86}]\Skype\ - Skype.Desktop.Application - Launch Skype - 1 - [{ProgramFilesX86}]\Skype\Phone\Skype.exe - - - - - - - - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L - - - xml - text/plain - - - - - - - - - - - - - - -``` - -

*PackageUrl can be a UNC or HTTP/HTTPS endpoint.

- -#### SyncML with package (using user config deployment) published for a specific user - -

This SyncML example shows how to publish a package for a specific MDM user.

- -```xml - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI> - - - xml - text/plain - - - - - - - - - - - - - -``` - -#### SyncML for publishing mixed-mode connection group containing global and user-published packages - -

This SyncML example shows how to publish a connection group, and group applications and plugins together.

- -> [!NOTE] -> The user connection group has the user-only package as optional in this example, which implies users without the optional package can continue to launch the global package within the same connection group. - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L - - - xml - text/plain - - - - - - - - - - - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI> - - - xml - text/plain - - - - - - - - - - - - - - - - - - - - -``` - -#### Unpublish example SyncML for all global packages - -

This SyncML example shows how to unpublish all global packages on the device by sending an empty package and connection group list in the SyncML.

- -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML - - - xml - text/plain - - - - - - - - - -``` - -#### Query packages on a device - -

These SyncML examples return all global, and user-published packages on the device.

- -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData - - - -``` - -```xml - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData - - - -``` \ No newline at end of file diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index 5cd9b9cbb6..0bb98be706 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -9,159 +9,94 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.collection: - - highpri - - tier2 -ms.date: 12/31/2017 +- highpri +- tier2 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Azure Active Directory integration with MDM -Azure Active Directory is the world's largest enterprise cloud identity management service. It’s used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow. +Azure Active Directory is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow. Once a device is enrolled in MDM, the MDM: - Can enforce compliance with organization policies, add or remove apps, and more. -- Can report a device’s compliance in Azure AD. +- Can report a device's compliance in Azure AD. - Azure AD can allow access to organization resources or applications secured by Azure AD to devices that comply with policies. -To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This article describes the steps involved. - -## Connect to Azure AD - -Several ways to connect your devices: - -For company-owned devices: -- Join Windows to a traditional Active Directory domain -- Join Windows to Azure AD - -For personal devices (BYOD): -- Add a Microsoft work account to Windows - -### Azure AD Join - -Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as Microsoft Configuration Manager. In Windows 10, it’s also possible to manage domain joined devices with an MDM. - -Windows 10 introduces a new way to configure and deploy organization owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller. - -Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device won't be joined to Azure AD. - -> [!IMPORTANT] -> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](/previous-versions/azure/dn499825(v=azure.100)) license. - - -### BYOD scenario - -Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If that’s the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. In the BYOD case, users can reject the MDM Terms of Use. The device isn't enrolled in MDM and access to organization resources is typically restricted. +To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. ## Integrated MDM enrollment and UX -Two Azure AD MDM enrollment scenarios: -- Joining a device to Azure AD for company-owned devices -- Adding a work account to a personal device (BYOD) +There are several ways to connect your devices to Azure AD: -In both scenarios, Azure AD authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. +- [Join device to Azure AD](/azure/active-directory/devices/concept-azure-ad-join) +- [Join device to on-premises AD and Azure AD](/azure/active-directory/devices/concept-azure-ad-join-hybrid) +- [Add a Microsoft work account to Windows](/azure/active-directory/devices/concept-azure-ad-register) -In both scenarios, the enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN. +In each scenario, Azure AD authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. The enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and bring-your-own-device (BYOD) devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN. -In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It's important that MDM vendors who integrate with Azure AD respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article. +In Windows 10, the web view during the out-of-the-box scenario is displayed as full-screen by default, providing MDM vendors with the capability to create a seamless edge-to-edge user experience. However, in Windows 11 the web view is rendered within an iframe. It's important that MDM vendors who integrate with Azure AD respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article. -For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service. For more information, see solution \#2 in [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa). +For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa). -Once a user has an Azure AD account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for organization scenarios or BYOD scenarios is similar. +Once a user has an Azure AD account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Access work or school**. Device management of either Azure AD Join for organization scenarios or BYOD scenarios is similar. > [!NOTE] -> Users can't remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. +> Users can't remove the device enrollment through the **Access work or school** user interface because management is tied to the Azure AD or work account. - -### MDM endpoints involved in Azure AD–integrated enrollment +### MDM endpoints involved in Azure AD integrated enrollment Azure AD MDM enrollment is a two-step process: -1. Display the Terms of Use and gather user consent. +1. Display the Terms of Use and gather user consent: This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM. +1. Enroll the device: This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device. - This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM. +To support Azure AD enrollment, MDM vendors must host and expose a **Terms of Use endpoint** and an **MDM enrollment endpoint**. -2. Enroll the device. +- **Terms of Use endpoint**: Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user's consent before the actual enrollment phase begins. - This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device. + It's important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies. -To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use endpoint and an MDM enrollment endpoint. + The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. It's not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD. -**Terms of Use endpoint** -Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user’s consent before the actual enrollment phase begins. +- **MDM enrollment endpoint**: After the users accept the Terms of Use, the device is registered in Azure AD. Automatic MDM enrollment begins. -It’s important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies. + The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint. -The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. It’s not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD. + [![azure ad enrollment flow](images/azure-ad-enrollment-flow.png)](images/azure-ad-enrollment-flow.png#lightbox) -**MDM enrollment endpoint** -After the users accepts the Terms of Use, the device is registered in Azure AD. Automatic MDM enrollment begins. + The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article. -The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint. - -![azure ad enrollment flow.](images/azure-ad-enrollment-flow.png) - -The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article. - -## Make the MDM a reliable party of Azure AD +## Make MDM a reliable party of Azure AD To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Azure AD. To report compliance with Azure AD, the MDM must authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). -### Add a cloud-based MDM +### Cloud-based MDM A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer. -The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661). +The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. For more information about how to add multi-tenant applications to Azure AD, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multi-tenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub. > [!NOTE] -> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. +> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow the step-by-step guides below: +> +> - [Quickstart: Create a new tenant in Azure Active Directory](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to set up a tenant. +> - [Associate or add an Azure subscription to your Azure Active Directory tenant](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to add a subscription, and manage it via the Azure Portal. -The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, whatever the customer tenant the managed device belongs. +The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, in the customer tenant where the managed device belongs. > [!NOTE] -> All MDM apps must implement Azure AD V2 tokens before we certify that integration works. Due to changes in the Azure AD app platform, using Azure AD V2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats-and-ownership). +> All MDM apps must implement Azure AD V2 tokens before we certify that integration works. Due to changes in the Azure AD app platform, using Azure AD V2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats). -Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery. +### On-premises MDM -1. Log on to the Azure Management Portal using an admin account in your home tenant. +An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and have a separate key for authentication with Azure AD. -2. In the left navigation, select **Active Directory**. - -3. Select the directory tenant where you want to register the application. - - Ensure you're logged into your home tenant. - -4. Select the **Applications** tab. - -5. In the drawer, select **Add**. - -6. Select **Add an application my organization is developing**. - -7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then select **Next**. - -8. Enter the logon URL for your MDM service. - -9. For the App ID, enter `https:///ContosoMDM`, then select OK. - -10. While still in the Azure portal, select the **Configure** tab of your application. - -11. Mark your application as **multi-tenant**. - -12. Find the client ID value and copy it. - - You'll need this ID later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery. - -13. Generate a key for your application and copy it. - - You need this key to call the Microsoft Graph API to report device compliance. This information is covered in the next section. - -For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667). - -### Add an on-premises MDM - -An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD. - -To add an on-premises MDM application to the tenant, use the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application**. Administrators can configure the required URLs for enrollment and Terms of Use. +To add an on-premises MDM application to the tenant, use the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application** > **Create your own application**. Administrators can configure the required URLs for enrollment and Terms of Use. Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance. @@ -173,24 +108,21 @@ The application keys used by your MDM service are a sensitive resource. They sho For security best practices, see [Windows Azure Security Essentials](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler). -You can roll over the application keys used by a cloud-based MDM service without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant. +For cloud-based MDM, you can roll over the application keys without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant. For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and must be rolled over by the customer's administrator. To improve security, provide guidance to customers about rolling over and protecting the keys. ## Publish your MDM app to Azure AD app gallery - IT administrators use the Azure AD app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Azure AD. -The following image show how MDM applications show up in the Azure app gallery. - -![azure ad add an app for mdm.](images/azure-ad-app-gallery.png) - ### Add cloud-based MDM to the app gallery > [!NOTE] > You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application +To publish your application, [submit a request to publish your application in Azure Active Directory application gallery](/azure/active-directory/manage-apps/v2-howto-app-gallery-listing) + The following table shows the required information to create an entry in the Azure AD app gallery. |Item|Description| @@ -201,8 +133,6 @@ The following table shows the required information to create an entry in the Azu |**Description**|A brief description of your MDM app, which must be under 255 characters.| |**Icons**|A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215| - - ### Add on-premises MDM to the app gallery There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant. @@ -215,11 +145,11 @@ The pages rendered by the MDM in the integrated enrollment process must use Wind There are three distinct scenarios: -1. MDM enrollment as part of Azure AD Join in Windows OOBE. -2. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**. -3. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD). +1. MDM enrollment as part of Azure AD Join in Windows OOBE. +1. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**. +1. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD). -These scenarios support Windows client Pro, Enterprise, and Education. +These scenarios support Windows Pro, Enterprise, and Education. The CSS files provided by Microsoft contain version information and we recommend that you use the latest version. There are separate CSS files for Windows client devices, OOBE, and post-OOBE experiences. [Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip). @@ -256,7 +186,7 @@ The following parameters are passed in the query string: Azure AD issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format: -**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw… +**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw... The following claims are expected in the access token passed by Windows to the Terms of Use endpoint: @@ -267,13 +197,12 @@ The following claims are expected in the access token passed by Windows to the T |TID|A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.| |Resource|A sanitized URL representing the MDM application. Example: `https://fabrikam.contosomdm.com` | - > [!NOTE] > There's no device ID claim in the access token because the device may not yet be enrolled at this time. To retrieve the list of group memberships for the user, you can use the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). -Here's an example URL. +Here's an example URL: ```http https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0 @@ -288,8 +217,8 @@ The MDM may do other more redirects as necessary before displaying the Terms of The Terms of Use content should contain the following buttons: -- **Accept** - the user accepts the Terms of Use and proceeds with enrollment. -- **Decline** - the user declines and stops the enrollment process. +- **Accept** - the user accepts the Terms of Use and proceeds with enrollment. +- **Decline** - the user declines and stops the enrollment process. The Terms of Use content must be consistent with the theme used for the other pages rendered during this process. @@ -297,13 +226,13 @@ The Terms of Use content must be consistent with the theme used for the other pa At this point, the user is on the Terms of Use page shown during the OOBE or from the Setting experiences. The user has the following options on the page: -- **User clicks on the Accept button** - The MDM must redirect to the URI specified by the redirect\_uri parameter in the incoming request. The following query string parameters are expected: - - **IsAccepted** - This Boolean value is required, and must be set to true. - - **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this blob to make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes. - - Here's an example redirect - `ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true` -- **User clicks on the Decline button** - The MDM must redirect to the URI specified in redirect\_uri in the incoming request. The following query string parameters are expected: - - **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use. - - **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user. +- **User clicks on the Accept button** - The MDM must redirect to the URI specified by the redirect\_uri parameter in the incoming request. The following query string parameters are expected: + - **IsAccepted** - This Boolean value is required, and must be set to true. + - **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this blob to make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes. + - Here's an example redirect - `ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true` +- **User clicks on the Decline button** - The MDM must redirect to the URI specified in redirect\_uri in the incoming request. The following query string parameters are expected: + - **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use. + - **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user. Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Azure AD Join process. Don't show the decline button in the Azure AD Join process. MDM enrollment can't be declined by the user if configured by the administrator for the Azure AD Join. @@ -311,7 +240,7 @@ We recommend that you send the client-request-id parameters in the query string ### Terms Of Use Error handling -If an error occurs during the terms of use processing, the MDM can return two parameters – an error and error\_description parameter in its redirect request back to Windows. The URL should be encoded, and the contents of the error\_description should be in English plain text. This text isn't visible to the end-user. So, localization of the error description text isn't a concern. +If an error occurs during the terms of use processing, the MDM can return two parameters - an `error` and `error_description` parameter in its redirect request back to Windows. The URL should be encoded, and the contents of the `error_description` should be in English plain text. This text isn't visible to the end-user. So, localization of the `error_description` text isn't a concern. Here's the URL format: @@ -334,7 +263,6 @@ The following table shows the error codes. |Azure AD token validation failed|302|unauthorized_client|unauthorized_client| |internal service error|302|server_error|internal service error| - ## Enrollment protocol with Azure AD With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments. @@ -355,41 +283,43 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove |Enrolled certificate store|My/User|My/System|My/User| |CSR subject name|User Principal Name|Device ID|User Principal Name| |EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL|Not supported|Supported|Supported| -|CSPs accessible during enrollment|Windows 10 support:
- DMClient
- CertificateStore
- RootCATrustedCertificates
- ClientCertificateInstall
- EnterpriseModernAppManagement
- PassportForWork
- Policy
- w7 APPLICATION||| +|CSPs accessible during enrollment|Windows 10 support:
- DMClient
- CertificateStore
- RootCATrustedCertificates
- ClientCertificateInstall
- EnterpriseModernAppManagement
- PassportForWork
- Policy
- w7 APPLICATION||| ## Management protocol with Azure AD There are two different MDM enrollment types that integrate with Azure AD, and use Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users. -**Multiple user management for Azure AD-joined devices** -In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device. +- **Multiple user management for Azure AD-joined devices** -**Adding a work account and MDM enrollment to a device** -In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device. + In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device. -**Evaluating Azure AD user tokens** -The Azure AD token is in the HTTP Authorization header in the following format: +- **Adding a work account and MDM enrollment to a device**: -```console -Authorization:Bearer -``` + In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device. -More claims may be present in the Azure AD token, such as: +- **Evaluating Azure AD user tokens**: -- User - user currently logged in -- Device compliance - value set the MDM service into Azure -- Device ID - identifies the device that is checking in -- Tenant ID + The Azure AD token is in the HTTP Authorization header in the following format: -Access tokens issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens: + ```console + Authorization:Bearer + ``` -- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler). -- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667). + More claims may be present in the Azure AD token, such as: + - User - user currently logged in + - Device compliance - value set the MDM service into Azure + - Device ID - identifies the device that is checking in + - Tenant ID + + Access tokens issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens: + + - Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler). + - Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667). ## Device Alert 1224 for Azure AD user token -An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example: +An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM package #1. Here's an example: ```xml Alert Type: com.microsoft/MDM/AADUserToken @@ -401,25 +331,25 @@ Alert sample: 1224 - com.microsoft/MDM/AADUserToken + com.microsoft/MDM/AADUserToken UserToken inserted here - … other XML tags … + ... other XML tags ... ``` ## Determine when a user is logged in through polling -An alert is sent to the MDM server in DM package\#1. +An alert is sent to the MDM server in DM package \#1. -- Alert type - com.microsoft/MDM/LoginStatus -- Alert format - chr -- Alert data - provide sign-in status information for the current active logged in user. - - Signed-in user who has an Azure AD account - predefined text: user. - - Signed-in user without an Azure AD account- predefined text: others. - - No active user - predefined text:none +- Alert type - com.microsoft/MDM/LoginStatus +- Alert format - chr +- Alert data - provide sign-in status information for the current active logged in user. + - Signed-in user who has an Azure AD account - predefined text: user. + - Signed-in user without an Azure AD account- predefined text: others. + - No active user - predefined text:none Here's an example. @@ -430,12 +360,12 @@ Here's an example. 1224 - com.microsoft/MDM/LoginStatus + com.microsoft/MDM/LoginStatus user - … other XML tags … + ... other XML tags ... ``` @@ -445,21 +375,21 @@ Once a device is enrolled with the MDM for management, organization policies con For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822). -- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD. -- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD. +- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD. +- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD. ### Use Microsoft Graph API The following sample REST API call illustrates how an MDM can use the Microsoft Graph API to report compliance status of a device being managed by it. > [!NOTE] -> This API is only applicable for approved MDM apps on Windows 10 devices. +> This API is only applicable for approved MDM apps on Windows devices. ```console Sample Graph API Request: PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1 -Authorization: Bearer eyJ0eXAiO……… +Authorization: Bearer eyJ0eXAiO......... Accept: application/json Content-Type: application/json { "isManaged":true, @@ -469,16 +399,16 @@ Content-Type: application/json Where: -- **contoso.com** – This value is the name of the Azure AD tenant to whose directory the device has been joined. -- **db7ab579-3759-4492-a03f-655ca7f52ae1** – This value is the device identifier for the device whose compliance information is being reported to Azure AD. -- **eyJ0eXAiO**……… – This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request. -- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status. -- **api-version** - Use this parameter to specify which version of the graph API is being requested. +- **contoso.com** - This value is the name of the Azure AD tenant to whose directory the device has been joined. +- **db7ab579-3759-4492-a03f-655ca7f52ae1** - This value is the device identifier for the device whose compliance information is being reported to Azure AD. +- **eyJ0eXAiO**......... - This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request. +- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status. +- **api-version** - Use this parameter to specify which version of the graph API is being requested. Response: -- Success - HTTP 204 with No Content. -- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found. +- Success - HTTP 204 with No Content. +- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found. ## Data loss during unenrollment from Azure Active Directory Join @@ -488,41 +418,4 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di ## Error codes -|Code|ID|Error message| -|--- |--- |--- | -|0x80180001|"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x80180002|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180003|"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180004|"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180005|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x80180006|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x80180007|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180008|"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x80180009|"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS|Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.| -|0x8018000A|"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED|This device is already enrolled. You can contact your system administrator with the error code {0}.| -|0x8018000D|"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| -|0x8018000E|"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x8018000F|"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180010|"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x80180012|"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180013|"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.| -|0x80180014|"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.| -|0x80180015|"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.| -|0x80180016|"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW|The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180017|"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE|The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.| -|0x80180018|"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE|There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180019|"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID|Looks like the server isn't correctly configured. You can try to do this again or contact your system administrator with the error code {0}.| -|"rejectedTermsOfUse"|"idErrorRejectedTermsOfUse"|Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.| -|0x801c0001|"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x801c0002|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x801c0003|"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.| -|0x801c0006|"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x801c000B|"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED|The server being contacted isn't trusted. Contact your system administrator with the error code {0}.| -|0x801c000C|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x801c000E|"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.| -|0x801c000F|"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT|A reboot is required to complete device registration.| -|0x801c0010|"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR|Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.| -|0x801c0011|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x801c0012|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x801c0013|"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x801c0014|"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +[!INCLUDE [Enrollment error codes](includes/mdm-enrollment-error-codes.md)] diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index cc058826be..1c9d410723 100644 --- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -1,33 +1,29 @@ --- -title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal -description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal +title: Automatic MDM enrollment in the Intune admin center +description: Automatic MDM enrollment in the Intune admin center ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 12/18/2020 -ms.reviewer: +ms.date: 04/05/2023 +ms.reviewer: manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Intune admin center +# Automatic MDM enrollment in the Intune admin center -Microsoft Intune can be accessed directly using its own admin center. For more information, go to: - -- [Tutorial: Walkthrough Intune in Microsoft Intune admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) -- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -If you use the Azure portal, then you can access Intune using the following steps: +Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure Portal. 1. Go to your Azure AD Blade. -2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app. -3. Select **Microsoft Intune** and configure the blade. -![How to get to the Blade.](images/azure-mdm-intune.png) +1. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app. -Configure the blade +1. Select **Microsoft Intune** and configure the blade. You can specify settings to allow **All** users to enroll a device, or choose to allow **Some** users (and specify a group). -![Configure the Blade.](images/azure-intune-configure-scope.png) + ![Configure the Blade.](images/azure-intune-configure-scope.png) -You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users). +1. Select **Save** to configure MDM auto-enrollment for Azure AD joined devices and bring-your-own-device scenarios. diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md index c85858a2d0..a09f295976 100644 --- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md @@ -1,50 +1,52 @@ --- title: Bulk enrollment -description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and Windows 11. -MS-HAID: - - 'p\_phdevicemgmt.bulk\_enrollment' - - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool' -ms.reviewer: +description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Bulk enrollment +# Bulk enrollment using Windows Configuration Designer -Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario. +Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join enrollment scenario. ## Typical use cases -- Set up devices in bulk for large organizations to be managed by MDM. -- Set up kiosks, such as ATMs or point-of-sale (POS) terminals. -- Set up school computers. -- Set up industrial machinery. -- Set handheld POS devices. +- Set up devices in bulk for large organizations to be managed by MDM. +- Set up kiosks, such as ATMs or point-of-sale (POS) terminals. +- Set up school computers. +- Set up industrial machinery. +- Set handheld POS devices. -On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain. +On the desktop, you can create an Active Directory account, such as `enrollment@contoso.com` and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain. On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as `enroll@contoso.com` and `enrollmentpassword`. These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them. > [!NOTE] -> - Bulk-join is not supported in Azure Active Directory Join. -> - Bulk enrollment does not work in Intune standalone environment. -> - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console. -> - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. -> - Bulk Token creation is not supported with federated accounts. +> +> - Bulk-join is not supported in Azure Active Directory Join. +> - Bulk enrollment does not work in Intune standalone environment. +> - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console. +> - To change bulk enrollment settings, login to **Azure AD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. +> - Bulk Token creation is not supported with federated accounts. ## What you need -- Windows 10 devices. -- Windows Configuration Designer (WCD) tool. +- Windows devices. +- Windows Configuration Designer (WCD) tool. To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd). -- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.). -- Wi-Fi credentials, computer name scheme, and anything else required by your organization. + +- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.). +- Wi-Fi credentials, computer name scheme, and anything else required by your organization. Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain. @@ -53,112 +55,105 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. 1. Open the WCD tool. -2. Select **Advanced Provisioning**. +1. Select **Advanced Provisioning**. ![icd start page.](images/bulk-enrollment7.png) -3. Enter a project name and select **Next**. -4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**. -5. Skip **Import a provisioning package (optional)** and select **Finish**. -6. Expand **Runtime settings** > **Workplace**. -7. Select **Enrollments**, enter a value in **UPN**, and then select **Add**. - The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". -8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. - Here's the list of available settings: - - **AuthPolicy** - Select **OnPremise**. - - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. - - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. - - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. - - **Secret** - Password - For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). - Here's the screenshot of the WCD at this point. + +1. Enter a project name and select **Next**. +1. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**. +1. Skip **Import a provisioning package (optional)** and select **Finish**. +1. Expand **Runtime settings** > **Workplace**. +1. Select **Enrollments**, enter a value in **UPN**, and then select **Add**. The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as `enrollment@contoso.com`. +1. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. Here's the list of available settings: + + - **AuthPolicy** - Select **OnPremise**. + - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. + - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. + - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. + - **Secret** - Password + + For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). Here's the screenshot of the WCD at this point. ![bulk enrollment screenshot.](images/bulk-enrollment.png) -9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). -10. When you're done adding all the settings, on the **File** menu, select **Save**. -11. On the main menu, select **Export** > **Provisioning package**. + +1. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). +1. When you're done adding all the settings, on the **File** menu, select **Save**. +1. On the main menu, select **Export** > **Provisioning package**. ![icd menu for export.](images/bulk-enrollment2.png) -12. Enter the values for your package and specify the package output location. + +1. Enter the values for your package and specify the package output location. ![enter package information.](images/bulk-enrollment3.png) ![enter additional information for package information.](images/bulk-enrollment4.png) ![specify file location.](images/bulk-enrollment6.png) -13. Select **Build**. + +1. Select **Build**. ![icb build window.](images/bulk-enrollment5.png) -14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). -15. Apply the package to your devices. + +1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). +1. Apply the package to your devices. ## Create and apply a provisioning package for certificate authentication Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. 1. Open the WCD tool. -2. Select **Advanced Provisioning**. -3. Enter a project name and select **Next**. -4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions. -5. Skip **Import a provisioning package (optional)** and select **Finish**. -6. Specify the certificate. - 1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**. - 2. Enter a **CertificateName** and then select **Add**. - 3. Enter the **CertificatePasword**. - 4. For **CertificatePath**, browse and select the certificate to be used. - 5. Set **ExportCertificate** to False. - 6. For **KeyLocation**, select **Software only**. +1. Select **Advanced Provisioning**. +1. Enter a project name and select **Next**. +1. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions. +1. Skip **Import a provisioning package (optional)** and select **Finish**. +1. Specify the certificate: + + 1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**. + 1. Enter a **CertificateName** and then select **Add**. + 1. Enter the **CertificatePassword**. + 1. For **CertificatePath**, browse and select the certificate to be used. + 1. Set **ExportCertificate** to False. + 1. For **KeyLocation**, select **Software only**. ![icd certificates section.](images/bulk-enrollment8.png) -7. Specify the workplace settings. - 1. Got to **Workplace** > **Enrollments**. - 2. Enter the **UPN** for the enrollment and then select **Add**. - The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". - 3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. - Here's the list of available settings: - - **AuthPolicy** - Select **Certificate**. - - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. - - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. - - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. - - **Secret** - the certificate thumbprint. - For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). -8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). -9. When you're done adding all the settings, on the **File** menu, select **Save**. -10. Export and build the package (steps 10-13 in the procedure above). -11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). -12. Apply the package to your devices. + +1. Specify the workplace settings. + + 1. Got to **Workplace** > **Enrollments**. + 1. Enter the **UPN** for the enrollment and then select **Add**. The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as `enrollment@contoso.com`. + 1. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. Here's the list of available settings: + - **AuthPolicy** - Select **Certificate**. + - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. + - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. + - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. + - **Secret** - the certificate thumbprint. + + For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). + +1. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). +1. When you're done adding all the settings, on the **File** menu, select **Save**. +1. Export and build the package (steps 10-13 in the procedure above). +1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). +1. Apply the package to your devices. ## Apply a provisioning package -Here's the list of articles about applying a provisioning package: +- [Apply a package during initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#during-initial-setup) +- [Apply a package after initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup) +- [Apply a package directly](/windows/configuration/provisioning-packages/provisioning-apply-package#apply-directly) +- [Apply a package from the Settings app](/windows/configuration/provisioning-packages/provisioning-apply-package#windows-settings). -- [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package) -- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) -- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - article below +## Validate that the provisioning package was applied -## Apply a package from the Settings menu - -1. Go to **Settings** > **Accounts** > **Access work or school**. -2. Select **Add or remove a provisioning package**. -3. Select **Add a package**. - -## Validate that the provisioning package was applied - -1. Go to **Settings** > **Accounts** > **Access work or school**. -2. Select **Add or remove a provisioning package**. - You should see your package listed. +1. Go to **Settings** > **Accounts** > **Access work or school**. +1. Select **Add or remove a provisioning package**. You should see your package listed. ## Retry logic if there's a failure -If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row. +- If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row. +- If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from the SYSTEM context. +- It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well. +- In addition, provisioning will be restarted in the SYSTEM context after a sign in and the [system has been idle](/windows/win32/taskschd/task-idle-conditions). -If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from a SYSTEM context. - -It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well. - -In addition, provisioning will be restarted in a SYSTEM context after a sign in and the system has been idle ([details on idle conditions](/windows/win32/taskschd/task-idle-conditions)). - -## Other provisioning articles - -Here are links to step-by-step provisioning articles: - -- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps) -- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) +## Related articles +- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps) +- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) diff --git a/windows/client-management/certificate-authentication-device-enrollment.md b/windows/client-management/certificate-authentication-device-enrollment.md index 2f5129ba9b..6db2ca38a4 100644 --- a/windows/client-management/certificate-authentication-device-enrollment.md +++ b/windows/client-management/certificate-authentication-device-enrollment.md @@ -1,30 +1,28 @@ --- title: Certificate authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Certificate authentication device enrollment -This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347). +This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows devices, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347). -> [!Note] +> [!NOTE] > To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package). -## In this topic - -- [Discovery service](#discovery-service) -- [Enrollment policy web service](#enrollment-policy-web-service) -- [Enrollment web service](#enrollment-web-service) - -For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). +> [!NOTE] +> For the list of enrollment scenarios not supported in Windows, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). ## Discovery Service @@ -37,34 +35,33 @@ User-Agent: Windows Enrollment Client Host: EnterpriseEnrollment.Contoso.com Content-Length: xxx Cache-Control: no-cache - - - + + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover - - urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 - - http://www.w3.org/2005/08/addressing/anonymous - + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + http://www.w3.org/2005/08/addressing/anonymous + https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc - - - - - + + + + + user@contoso.com 101 10.0.0.0 - 3.0 + 3.0 10.0.0.0 Certificate - - - + + + ``` @@ -76,7 +73,7 @@ Content-Length: 865 Content-Type: application/soap+xml; charset=utf-8 Server: EnterpriseEnrollment.Contoso.com Date: Tue, 02 Aug 2012 00:32:56 GMT - @@ -87,9 +84,9 @@ http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoverySer urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 - - Certificate @@ -117,11 +114,11 @@ User-Agent: Windows Enrollment Client Host: enrolltest.contoso.com Content-Length: xxxx Cache-Control: no-cache - @@ -135,16 +132,16 @@ Cache-Control: no-cache https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - B64EncodedSampleBinarySecurityToken - + - - @@ -190,29 +187,29 @@ Content-Type: application/soap+xml Content-Length: xxxx - http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse - d4335d7c-e192-402d-b0e7-f5d550467e3c urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598 - - - - + - - @@ -268,11 +265,11 @@ Host: enrolltest.contoso.com Content-Length: 3242 Cache-Control: no-cache - @@ -289,36 +286,35 @@ Cache-Control: no-cache 2014-10-16T17:55:13Z 2014-10-16T17:57:13Z - + + wsu:Id="29801C2F-F26B-46AD-984B-AFAEFB545FF8"> B64EncodedSampleBinarySecurityToken - + - - + MessageDigestValue - SignedMessageBlob/ds:SignatureValue> - + SignedMessageBlob/ds:SignatureValue> + - - + - + @@ -331,8 +327,8 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue - DER format PKCS#10 certificate request in Base64 encoding Insterted Here @@ -354,7 +350,7 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol - 7BA748C8-703E-4DF2-A74A-92984117346A + 7BA748C8-703E-4DF2-A74A-92984117346A 3J4KLJ9SDJFAL93JLAKHJSDFJHAO83HAKSHFLAHSKFNHNPA2934342 @@ -376,8 +372,8 @@ Content-Type: application/soap+xml; charset=utf-8 Server: Microsoft-IIS/7.0 Date: Fri, 03 Aug 2012 00:32:59 GMT - @@ -393,14 +389,14 @@ Date: Fri, 03 Aug 2012 00:32:59 GMT - http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken - - + - - + + - + @@ -480,14 +476,14 @@ The following example shows the encoded provisioning XML. - + - + @@ -495,7 +491,7 @@ The following example shows the encoded provisioning XML. - -``` \ No newline at end of file +``` diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md index 8b44256d9e..d7c3443131 100644 --- a/windows/client-management/certificate-renewal-windows-mdm.md +++ b/windows/client-management/certificate-renewal-windows-mdm.md @@ -1,10 +1,7 @@ --- title: Certificate Renewal description: Learn how to find all the resources that you need to provide continuous access to client certificates. -MS-HAID: - - 'p\_phdevicemgmt.certificate\_renewal' - - 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -12,29 +9,32 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Certificate Renewal The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account. The enrollment client gets a new client certificate from the enrollment server, and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported. -> [!Note] +> [!NOTE] > Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered. ## Automatic certificate renewal request Windows supports automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that doesn't require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to do client Transport Layer Security (TLS). The user security token isn't needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate-based client authentication for automatic certificate renewal. -> [!Note] +> [!NOTE] > Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI. Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate. -For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP’s](mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL. +For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP's](mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL. -With automatic renewal, the PKCS\#7 message content isn’t b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content. +With automatic renewal, the PKCS\#7 message content isn't b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content. -During the automatic certificate renewal process, if the root certificate isn’t trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md). +During the automatic certificate renewal process, if the root certificate isn't trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md). During the automatic certificate renew process, the device will deny HTTP redirect request from the server. It won't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used. @@ -94,28 +94,25 @@ The following example shows the details of an automatic renewal request. ## Certificate renewal schedule configuration -In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSP’s RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired. +In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSP's RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired. For more information about the parameters, see the CertificateStore configuration service provider. Unlike manual certificate renewal, the device will not do an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead every 7 days (weekly). This change increases the chance that the device will try to connect at different days of the week. -> [!Note] -> For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval. - ## Certificate renewal response When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment): -- The signature of the PKCS\#7 BinarySecurityToken is correct -- The client’s certificate is in the renewal period -- The certificate was issued by the enrollment service -- The requester is the same as the requester for initial enrollment -- For standard client’s request, the client hasn’t been blocked +- The signature of the PKCS\#7 BinarySecurityToken is correct +- The client's certificate is in the renewal period +- The certificate was issued by the enrollment service +- The requester is the same as the requester for initial enrollment +- For standard client's request, the client hasn't been blocked After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA. -> [!Note] +> [!NOTE] > The HTTP server response must not be chunked; it must be sent as one message. The following example shows the details of a certificate renewal response. @@ -145,14 +142,14 @@ The following example shows the details of a certificate renewal response. ``` -> [!Note] +> [!NOTE] > The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time. ## Configuration service providers supported during MDM enrollment and certificate renewal The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider. -- CertificateStore -- w7 APPLICATION -- DMClient -- EnterpriseAppManagement +- CertificateStore +- w7 APPLICATION +- DMClient +- EnterpriseAppManagement diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/client-tools/administrative-tools-in-windows.md similarity index 91% rename from windows/client-management/administrative-tools-in-windows-10.md rename to windows/client-management/client-tools/administrative-tools-in-windows.md index 095188a9ba..a511db702c 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/client-tools/administrative-tools-in-windows.md @@ -6,24 +6,22 @@ author: vinaypamnani-msft ms.author: vinpa manager: aaroncz ms.localizationpriority: medium -ms.date: 03/28/2022 +ms.date: 04/11/2023 ms.topic: article ms.collection: - - highpri - - tier2 +- highpri +- tier2 ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Windows Tools/Administrative Tools -**Applies to** - -- Windows 11 -- Windows 10 - **Windows Tools** is a folder in the Windows 11 Control Panel. **Administrative Tools** is a folder in the Windows 10 Control Panel. These folders contain tools for system administrators and advanced users. -## Windows Tools folder (Windows 11) +## Windows Tools folder The following graphic shows the **Windows Tools** folder in Windows 11: @@ -33,7 +31,7 @@ The tools in the folder might vary depending on which edition of Windows you use :::image type="content" source="images/win11-windows-tools.png" alt-text="Screenshot of the contents of the Windows Tools folder in Windows 11." lightbox="images/win11-windows-tools.png"::: -## Administrative Tools folder (Windows 10) +## Administrative Tools folder The following graphic shows the **Administrative Tools** folder in Windows 10: diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md similarity index 58% rename from windows/client-management/change-default-removal-policy-external-storage-media.md rename to windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md index d3410f5068..2959430065 100644 --- a/windows/client-management/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md @@ -1,26 +1,22 @@ --- -title: Windows 10 default media removal policy -description: In Windows 10, version 1809, the default removal policy for external storage media changed from Better performance to Quick removal. +title: Windows default media removal policy +description: In Windows 10 and later, the default removal policy for external storage media changed from Better performance to Quick removal. ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa -ms.date: 11/25/2020 +ms.date: 04/11/2023 ms.topic: article -ms.custom: - - CI 111493 - - CI 125140 - - CSSTroubleshooting -audience: ITPro ms.localizationpriority: medium -manager: kaushika +manager: aaroncz ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Change in default removal policy for external storage media in Windows 10, version 1809 +# Change in default removal policy for external storage media in Windows -Windows defines two main policies, **Quick removal** and **Better performance**, that control how the system interacts with external storage devices such as USB thumb drives or Thunderbolt-enabled external drives. Beginning in Windows 10 version 1809, the default policy is **Quick removal**. - -In earlier versions of Windows, the default policy was **Better performance**. +Windows defines two main policies, **Quick removal** and **Better performance**, that control how the system interacts with external storage devices such as USB thumb drives or Thunderbolt-enabled external drives. Beginning in Windows 10 version 1809, the default policy is **Quick removal**. In earlier versions of Windows, the default policy was **Better performance**. You can change the policy setting for each external device, and the policy that you set remains in effect if you disconnect the device and then connect it again to the same computer port. @@ -28,31 +24,32 @@ You can change the policy setting for each external device, and the policy that You can use the storage device policy setting to change the manner in which Windows manages storage devices to better meet your needs. The policy settings have the following effects: -* **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may degrade system performance. -* **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish. - > [!IMPORTANT] - > If you use the **Better performance** policy, you must use the Safely Remove Hardware process to remove the device. If you remove or disconnect the device without following the safe removal instructions, you risk losing data. +- **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may degrade system performance. +- **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish. - > [!NOTE] - > If you select **Better performance**, we recommend that you also select **Enable write caching on the device**. +> [!IMPORTANT] +> If you use the **Better performance** policy, you must use the Safely Remove Hardware process to remove the device. If you remove or disconnect the device without following the safe removal instructions, you risk losing data. + +> [!NOTE] +> If you select **Better performance**, we recommend that you also select **Enable write caching on the device**. To change the policy for an external storage device: 1. Connect the device to the computer. -2. Right-click **Start**, then select **File Explorer**. -3. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**). -4. Right-click **Start**, then select **Disk Management**. -5. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**. - +1. Right-click **Start**, then select **File Explorer**. +1. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**). +1. Right-click **Start**, then select **Disk Management**. +1. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**. + ![In Disk Management, right-click the device and click Properties.](./images/change-def-rem-policy-1.png) - -6. Select **Policies**. - - > [!NOTE] - > Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box. - > + +1. Select **Policies**. + + > [!NOTE] + > Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box. + > > If you do not see the **Policies** tab, select **Hardware**, select the removable drive from the **All disk drives** list, and then select **Properties**. The **Policies** tab should now be available. - -7. Select the policy that you want to use. - + +1. Select the policy that you want to use. + ![Policy options for disk management.](./images/change-def-rem-policy-2.png) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md similarity index 93% rename from windows/client-management/connect-to-remote-aadj-pc.md rename to windows/client-management/client-tools/connect-to-remote-aadj-pc.md index 42c1d58c19..85c581ddd4 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md @@ -1,29 +1,29 @@ --- -title: Connect to remote Azure Active Directory joined device (Windows) +title: Connect to remote Azure Active Directory joined device description: Learn how to use Remote Desktop Connection to connect to an Azure AD joined device. ms.prod: windows-client author: vinaypamnani-msft ms.localizationpriority: medium ms.author: vinpa -ms.date: 01/18/2022 +ms.date: 04/11/2023 manager: aaroncz ms.topic: article appliesto: - - ✅ Windows 10 and later - - ✅ Windows 11 and later +- ✅ Windows 11 +- ✅ Windows 10 ms.collection: - - highpri - - tier2 +- highpri +- tier2 ms.technology: itpro-manage --- # Connect to remote Azure Active Directory joined device -From its release, Windows has supported remote connections to devices joined to Active Directory using Remote Desktop Protocol (RDP). Windows 10, version 1607 added the ability to connect to a device that is joined to Azure Active Directory (Azure AD) using RDP. +Windows supports remote connections to devices joined to Active Directory s well as devices joined to Azure Active Directory (Azure AD) using Remote Desktop Protocol (RDP). - Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). - Starting in Windows 10/11, with 2022-10 update installed, you can [use Azure AD authentication to connect to the remote Azure AD device](#connect-with-azure-ad-authentication). - + ## Prerequisites - Both devices (local and remote) must be running a supported version of Windows. @@ -39,20 +39,20 @@ Azure AD Authentication can be used on the following operating systems for both - Windows 11 with [2022-10 Cumulative Updates for Windows 11 (KB5018418)](https://support.microsoft.com/kb/KB5018418) or later installed. - Windows 10, version 20H2 or later with [2022-10 Cumulative Updates for Windows 10 (KB5018410)](https://support.microsoft.com/kb/KB5018410) or later installed. - Windows Server 2022 with [2022-10 Cumulative Update for Microsoft server operating system (KB5018421)](https://support.microsoft.com/kb/KB5018421) or later installed. - + There's no requirement for the local device to be joined to a domain or Azure AD. As a result, this method allows you to connect to the remote Azure AD joined device from: - [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device. - Active Directory joined device. - Workgroup device. - + Azure AD authentication can also be used to connect to Hybrid Azure AD joined devices. To connect to the remote computer: - Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`. - Select **Use a web account to sign in to the remote computer** option in the **Advanced** tab. This option is equivalent to the `enablerdsaadauth` RDP property. For more information, see [Supported RDP properties with Remote Desktop Services](/windows-server/remote/remote-desktop-services/clients/rdp-files). -- Specify the name of the remote computer and select **Connect**. +- Specify the name of the remote computer and select **Connect**. > [!NOTE] > IP address cannot be used when **Use a web account to sign in to the remote computer** option is used. @@ -129,5 +129,3 @@ Remote Desktop Users group is used to grant users and groups permissions to remo ## Related articles [How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c) - - diff --git a/windows/client-management/images/admin-tools-folder.png b/windows/client-management/client-tools/images/admin-tools-folder.png similarity index 100% rename from windows/client-management/images/admin-tools-folder.png rename to windows/client-management/client-tools/images/admin-tools-folder.png diff --git a/windows/client-management/images/admin-tools.png b/windows/client-management/client-tools/images/admin-tools.png similarity index 100% rename from windows/client-management/images/admin-tools.png rename to windows/client-management/client-tools/images/admin-tools.png diff --git a/windows/client-management/images/allow-rdp.png b/windows/client-management/client-tools/images/allow-rdp.png similarity index 100% rename from windows/client-management/images/allow-rdp.png rename to windows/client-management/client-tools/images/allow-rdp.png diff --git a/windows/client-management/images/change-def-rem-policy-1.png b/windows/client-management/client-tools/images/change-def-rem-policy-1.png similarity index 100% rename from windows/client-management/images/change-def-rem-policy-1.png rename to windows/client-management/client-tools/images/change-def-rem-policy-1.png diff --git a/windows/client-management/images/change-def-rem-policy-2.png b/windows/client-management/client-tools/images/change-def-rem-policy-2.png similarity index 100% rename from windows/client-management/images/change-def-rem-policy-2.png rename to windows/client-management/client-tools/images/change-def-rem-policy-2.png diff --git a/windows/client-management/images/checkmark.png b/windows/client-management/client-tools/images/checkmark.png similarity index 100% rename from windows/client-management/images/checkmark.png rename to windows/client-management/client-tools/images/checkmark.png diff --git a/windows/client-management/images/copy-to-change.png b/windows/client-management/client-tools/images/copy-to-change.png similarity index 100% rename from windows/client-management/images/copy-to-change.png rename to windows/client-management/client-tools/images/copy-to-change.png diff --git a/windows/client-management/images/copy-to-path.png b/windows/client-management/client-tools/images/copy-to-path.png similarity index 100% rename from windows/client-management/images/copy-to-path.png rename to windows/client-management/client-tools/images/copy-to-path.png diff --git a/windows/client-management/images/copy-to.PNG b/windows/client-management/client-tools/images/copy-to.png similarity index 100% rename from windows/client-management/images/copy-to.PNG rename to windows/client-management/client-tools/images/copy-to.png diff --git a/windows/client-management/images/crossmark.png b/windows/client-management/client-tools/images/crossmark.png similarity index 100% rename from windows/client-management/images/crossmark.png rename to windows/client-management/client-tools/images/crossmark.png diff --git a/windows/client-management/images/device-installation-apply-layered-policy-2.png b/windows/client-management/client-tools/images/device-installation-apply-layered-policy-2.png similarity index 100% rename from windows/client-management/images/device-installation-apply-layered-policy-2.png rename to windows/client-management/client-tools/images/device-installation-apply-layered-policy-2.png diff --git a/windows/client-management/images/device-installation-apply-layered_policy-1.png b/windows/client-management/client-tools/images/device-installation-apply-layered_policy-1.png similarity index 100% rename from windows/client-management/images/device-installation-apply-layered_policy-1.png rename to windows/client-management/client-tools/images/device-installation-apply-layered_policy-1.png diff --git a/windows/client-management/images/device-installation-dm-printer-by-device.png b/windows/client-management/client-tools/images/device-installation-dm-printer-by-device.png similarity index 100% rename from windows/client-management/images/device-installation-dm-printer-by-device.png rename to windows/client-management/client-tools/images/device-installation-dm-printer-by-device.png diff --git a/windows/client-management/images/device-installation-dm-printer-compatible-ids.png b/windows/client-management/client-tools/images/device-installation-dm-printer-compatible-ids.png similarity index 100% rename from windows/client-management/images/device-installation-dm-printer-compatible-ids.png rename to windows/client-management/client-tools/images/device-installation-dm-printer-compatible-ids.png diff --git a/windows/client-management/images/device-installation-dm-printer-details-screen.png b/windows/client-management/client-tools/images/device-installation-dm-printer-details-screen.png similarity index 100% rename from windows/client-management/images/device-installation-dm-printer-details-screen.png rename to windows/client-management/client-tools/images/device-installation-dm-printer-details-screen.png diff --git a/windows/client-management/images/device-installation-dm-printer-hardware-ids.png b/windows/client-management/client-tools/images/device-installation-dm-printer-hardware-ids.png similarity index 100% rename from windows/client-management/images/device-installation-dm-printer-hardware-ids.png rename to windows/client-management/client-tools/images/device-installation-dm-printer-hardware-ids.png diff --git a/windows/client-management/images/device-installation-dm-usb-by-connection-blocked.png b/windows/client-management/client-tools/images/device-installation-dm-usb-by-connection-blocked.png similarity index 100% rename from windows/client-management/images/device-installation-dm-usb-by-connection-blocked.png rename to windows/client-management/client-tools/images/device-installation-dm-usb-by-connection-blocked.png diff --git a/windows/client-management/images/device-installation-dm-usb-by-connection-layering.png b/windows/client-management/client-tools/images/device-installation-dm-usb-by-connection-layering.png similarity index 100% rename from windows/client-management/images/device-installation-dm-usb-by-connection-layering.png rename to windows/client-management/client-tools/images/device-installation-dm-usb-by-connection-layering.png diff --git a/windows/client-management/images/device-installation-dm-usb-by-connection.png b/windows/client-management/client-tools/images/device-installation-dm-usb-by-connection.png similarity index 100% rename from windows/client-management/images/device-installation-dm-usb-by-connection.png rename to windows/client-management/client-tools/images/device-installation-dm-usb-by-connection.png diff --git a/windows/client-management/images/device-installation-dm-usb-by-device.png b/windows/client-management/client-tools/images/device-installation-dm-usb-by-device.png similarity index 100% rename from windows/client-management/images/device-installation-dm-usb-by-device.png rename to windows/client-management/client-tools/images/device-installation-dm-usb-by-device.png diff --git a/windows/client-management/images/device-installation-dm-usb-hwid.png b/windows/client-management/client-tools/images/device-installation-dm-usb-hwid.png similarity index 100% rename from windows/client-management/images/device-installation-dm-usb-hwid.png rename to windows/client-management/client-tools/images/device-installation-dm-usb-hwid.png diff --git a/windows/client-management/images/device-installation-flowchart.png b/windows/client-management/client-tools/images/device-installation-flowchart.png similarity index 100% rename from windows/client-management/images/device-installation-flowchart.png rename to windows/client-management/client-tools/images/device-installation-flowchart.png diff --git a/windows/client-management/images/device-installation-gpo-allow-device-id-list-printer.png b/windows/client-management/client-tools/images/device-installation-gpo-allow-device-id-list-printer.png similarity index 100% rename from windows/client-management/images/device-installation-gpo-allow-device-id-list-printer.png rename to windows/client-management/client-tools/images/device-installation-gpo-allow-device-id-list-printer.png diff --git a/windows/client-management/images/device-installation-gpo-allow-device-id-list-usb.png b/windows/client-management/client-tools/images/device-installation-gpo-allow-device-id-list-usb.png similarity index 100% rename from windows/client-management/images/device-installation-gpo-allow-device-id-list-usb.png rename to windows/client-management/client-tools/images/device-installation-gpo-allow-device-id-list-usb.png diff --git a/windows/client-management/images/device-installation-gpo-prevent-class-list.png b/windows/client-management/client-tools/images/device-installation-gpo-prevent-class-list.png similarity index 100% rename from windows/client-management/images/device-installation-gpo-prevent-class-list.png rename to windows/client-management/client-tools/images/device-installation-gpo-prevent-class-list.png diff --git a/windows/client-management/images/device-installation-gpo-prevent-device-id-list-printer.png b/windows/client-management/client-tools/images/device-installation-gpo-prevent-device-id-list-printer.png similarity index 100% rename from windows/client-management/images/device-installation-gpo-prevent-device-id-list-printer.png rename to windows/client-management/client-tools/images/device-installation-gpo-prevent-device-id-list-printer.png diff --git a/windows/client-management/images/device-installation-gpo-prevent-device-id-list-usb.png b/windows/client-management/client-tools/images/device-installation-gpo-prevent-device-id-list-usb.png similarity index 100% rename from windows/client-management/images/device-installation-gpo-prevent-device-id-list-usb.png rename to windows/client-management/client-tools/images/device-installation-gpo-prevent-device-id-list-usb.png diff --git a/windows/client-management/images/msinfo32.png b/windows/client-management/client-tools/images/msinfo32.png similarity index 100% rename from windows/client-management/images/msinfo32.png rename to windows/client-management/client-tools/images/msinfo32.png diff --git a/windows/client-management/images/quick-assist-flow.png b/windows/client-management/client-tools/images/quick-assist-flow.png similarity index 100% rename from windows/client-management/images/quick-assist-flow.png rename to windows/client-management/client-tools/images/quick-assist-flow.png diff --git a/windows/client-management/images/quick-assist-get.png b/windows/client-management/client-tools/images/quick-assist-get.png similarity index 100% rename from windows/client-management/images/quick-assist-get.png rename to windows/client-management/client-tools/images/quick-assist-get.png diff --git a/windows/client-management/images/rdp.png b/windows/client-management/client-tools/images/rdp.png similarity index 100% rename from windows/client-management/images/rdp.png rename to windows/client-management/client-tools/images/rdp.png diff --git a/windows/client-management/images/refcmd.png b/windows/client-management/client-tools/images/refcmd.png similarity index 100% rename from windows/client-management/images/refcmd.png rename to windows/client-management/client-tools/images/refcmd.png diff --git a/windows/client-management/images/settings-page-visibility-gp.png b/windows/client-management/client-tools/images/settings-page-visibility-gp.png similarity index 100% rename from windows/client-management/images/settings-page-visibility-gp.png rename to windows/client-management/client-tools/images/settings-page-visibility-gp.png diff --git a/windows/client-management/images/slmgr_dlv.png b/windows/client-management/client-tools/images/slmgr-dlv.png similarity index 100% rename from windows/client-management/images/slmgr_dlv.png rename to windows/client-management/client-tools/images/slmgr-dlv.png diff --git a/windows/client-management/images/sysprep-error.png b/windows/client-management/client-tools/images/sysprep-error.png similarity index 100% rename from windows/client-management/images/sysprep-error.png rename to windows/client-management/client-tools/images/sysprep-error.png diff --git a/windows/client-management/images/systemcollage.png b/windows/client-management/client-tools/images/systemcollage.png similarity index 100% rename from windows/client-management/images/systemcollage.png rename to windows/client-management/client-tools/images/systemcollage.png diff --git a/windows/client-management/images/win11-control-panel-windows-tools.png b/windows/client-management/client-tools/images/win11-control-panel-windows-tools.png similarity index 100% rename from windows/client-management/images/win11-control-panel-windows-tools.png rename to windows/client-management/client-tools/images/win11-control-panel-windows-tools.png diff --git a/windows/client-management/images/win11-windows-tools.png b/windows/client-management/client-tools/images/win11-windows-tools.png similarity index 100% rename from windows/client-management/images/win11-windows-tools.png rename to windows/client-management/client-tools/images/win11-windows-tools.png diff --git a/windows/client-management/images/WinVer.PNG b/windows/client-management/client-tools/images/winver.png similarity index 100% rename from windows/client-management/images/WinVer.PNG rename to windows/client-management/client-tools/images/winver.png diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md similarity index 69% rename from windows/client-management/manage-device-installation-with-group-policy.md rename to windows/client-management/client-tools/manage-device-installation-with-group-policy.md index 6f1cf2860e..da685db207 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md @@ -4,21 +4,19 @@ description: Find out how to manage Device Installation Restrictions with Group ms.prod: windows-client author: vinaypamnani-msft ms.date: 09/14/2021 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +- ✅ Windows Server 2022 --- # Manage Device Installation with Group Policy -**Applies to** - -- Windows 10 -- Windows 11 -- Windows Server 2022 - ## Summary By using Windows operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy. @@ -26,6 +24,7 @@ By using Windows operating systems, administrators can determine what devices ca ## Introduction ### General + This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and can't install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios: - Prevent users from installing devices that are on a "prohibited" list. If a device isn't on the list, then the user can install it. @@ -63,7 +62,7 @@ You can ensure that users install only those devices that your technical support ## Scenario Overview -The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy.. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site. +The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site. Group Policy guides: @@ -72,7 +71,7 @@ Group Policy guides: ### Scenario #1: Prevent installation of all printers -In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the ‘prevent/allow’ functionality of Device Installation policies in Group Policy. +In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the 'prevent/allow' functionality of Device Installation policies in Group Policy. ### Scenario #2: Prevent installation of a specific printer @@ -84,11 +83,11 @@ In this scenario, you'll combine what you learned from both scenario #1 and scen ### Scenario #4: Prevent installation of a specific USB device -This scenario, although similar to scenario #2, brings another layer of complexity – how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree. +This scenario, although similar to scenario #2, brings another layer of complexity—how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree. ### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive -In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the ‘prevent’ functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. +In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the 'prevent' functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. ## Technology Review @@ -96,7 +95,7 @@ The following sections provide a brief overview of the core technologies discuss ### Device Installation in Windows -A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type. +A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition—it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type. When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those strings included with the driver packages. @@ -107,7 +106,7 @@ The four types of identifiers are: - Device Instance ID - Device ID - Device setup classes -- ‘Removable Devices’ device type +- 'Removable Devices' device type #### Device Instance ID @@ -146,12 +145,12 @@ For more information, see [Device Setup Classes](/windows-hardware/drivers/insta This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices. -The following two links provide the complete list of Device Setup Classes. ‘System Use’ classes are mostly referred to devices that come with a computer/machine from the factory, while ‘Vendor’ classes are mostly referred to devices that could be connected to an existing computer/machine: +The following two links provide the complete list of Device Setup Classes. 'System Use' classes are mostly referred to devices that come with a computer/machine from the factory, while 'Vendor' classes are mostly referred to devices that could be connected to an existing computer/machine: - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use) -#### ‘Removable Device’ Device type +#### 'Removable Device' Device type Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. @@ -164,7 +163,7 @@ Device Installation section in Group Policy is a set of policies that control wh The following passages are brief descriptions of the Device Installation policies that are used in this guide. > [!NOTE] -> Device Installation control is applied only to machines (‘computer configuration’) and not users (‘user configuration’) by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section. +> Device Installation control is applied only to machines ('computer configuration') and not users ('user configuration') by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section. #### Allow administrators to override Device Installation Restriction policies @@ -219,22 +218,22 @@ To complete each of the scenarios, ensure you have: - A client computer running Windows. -- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build. +- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a "removable disk drive", "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build. - A USB/network printer pre-installed on the machine. - Access to the administrator account on the testing machine. The procedures in this guide require administrator privileges for most steps. -### Understanding implications of applying ‘Prevent’ policies retroactive +### Understanding implications of applying 'Prevent' policies retroactive -All ‘Prevent’ policies can apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices. +All 'Prevent' policies can apply the block functionality to already installed devices-devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices. -For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the “apply this policy to already installed devices” option. Marking this option will prevent access to already installed devices in addition to any future ones. +For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the "apply this policy to already installed devices" option. Marking this option will prevent access to already installed devices in addition to any future ones. This option is a powerful tool, but as such it has to be used carefully. > [!IMPORTANT] -> Applying the ‘Prevent retroactive’ option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all ‘Disk Drives’ could block the access to the disk on which the OS boots with; Preventing retroactive all ‘Net’ could block this machine from accessing network and to fix the issue the admin will have to have a direct connection. +> Applying the 'Prevent retroactive' option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all 'Disk Drives' could block the access to the disk on which the OS boots with; Preventing retroactive all 'Net' could block this machine from accessing network and to fix the issue the admin will have to have a direct connection. ## Determine device identification strings @@ -249,19 +248,19 @@ To find device identification strings using Device Manager 1. Make sure your printer is plugged in and installed. -2. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application. +1. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application. -3. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped. +1. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped. -4. Find the “Printers” section and find the target printer +1. Find the "Printers" section and find the target printer ![Selecting the printer in Device Manager.](images/device-installation-dm-printer-by-device.png)
_Selecting the printer in Device Manager_ -5. Double-click the printer and move to the ‘Details’ tab. +1. Double-click the printer and move to the 'Details' tab. - ![‘Details’ tab.](images/device-installation-dm-printer-details-screen.png)
_Open the ‘Details’ tab to look for the device identifiers_ + !['Details' tab.](images/device-installation-dm-printer-details-screen.png)
_Open the 'Details' tab to look for the device identifiers_ -6. From the ‘Value’ window, copy the most detailed Hardware ID – we'll use this value in the policies. +1. From the 'Value' window, copy the most detailed Hardware ID—we'll use this value in the policies. ![HWID.](images/device-installation-dm-printer-hardware-ids.png) @@ -311,24 +310,24 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Disable all previous Device Installation policies, except ‘Apply layered order of evaluation’—although the policy is disabled in default, this policy is recommended to be enabled in most practical applications. +1. Disable all previous Device Installation policies, except 'Apply layered order of evaluation'-although the policy is disabled in default, this policy is recommended to be enabled in most practical applications. -3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters +1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters -4. Have a USB/network printer available to test the policy with +1. Have a USB/network printer available to test the policy with -### Scenario steps – preventing installation of prohibited devices +### Scenario steps - preventing installation of prohibited devices Getting the right device identifier to prevent it from being installed: 1. If you have on your system a device from the class you want to block, you could follow the steps in the previous section to find the Device Class identifier through Device Manager or PnPUtil (Class GUID). -2. If you don’t have such device installed on your system or know the name of the class, you can check the following two links: +1. If you don't have such device installed on your system or know the name of the class, you can check the following two links: - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use) -3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: +1. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: > Printers\ > Class = Printer\ @@ -340,40 +339,40 @@ Getting the right device identifier to prevent it from being installed: Creating the policy to prevent all printers from being installed: -1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor-either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Make sure all policies are disabled (recommended to keep ‘applied layered order of evaluation’ policy enabled). +1. Make sure all policies are disabled (recommended to keep 'applied layered order of evaluation' policy enabled). -4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block. -6. Enter the printer class GUID you found above with the curly braces (this convention is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} +1. Enter the printer class GUID you found above with the curly braces: `{4d36e979-e325-11ce-bfc1-08002be10318}`. ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ -7. Click ‘OK’. +1. Click 'OK'. -8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs. +1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs. -9. Optional – if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ +1. Optional—if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' > [!IMPORTANT] -> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using ‘Disk Drive’ class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine. +> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using 'Disk Drive' class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine. ### Testing the scenario -1. If you haven't completed step #9 – follow these steps: +1. If you haven't completed step #9, follow these steps: - 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. - 1. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app. + 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device". + 1. For USB printer—unplug and plug back the cable; for network device—make a search for the printer in the Windows Settings app. 1. You shouldn't be able to reinstall the printer. -2. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use. +1. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use. ## Scenario #2: Prevent installation of a specific printer @@ -385,39 +384,39 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional. +1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation' (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional. -### Scenario steps – preventing installation of a specific device +### Scenario steps - preventing installation of a specific device Getting the right device identifier to prevent it from being installed: -1. Get your printer’s Hardware ID – in this example we'll use the identifier we found previously +1. Get your printer's Hardware ID. In this example we'll use the identifier we found previously. ![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)
_Printer Hardware ID_ -2. Write down the device ID (in this case Hardware ID) – WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers +1. Write down the device ID (in this case Hardware ID): `WSDPRINT\CanonMX920_seriesC1A0;`. Take the more specific identifier to make sure you block a specific printer and not a family of printers Creating the policy to prevent a single printer from being installed: -1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button. -4. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to block. -5. Enter the printer device ID you found above – WSDPRINT\CanonMX920_seriesC1A0 +1. Enter the printer device ID you found above: `WSDPRINT\CanonMX920_seriesC1A0`. ![Prevent Device ID list.](images/device-installation-gpo-prevent-device-id-list-printer.png)
_Prevent Device ID list_ -6. Click ‘OK’. +1. Click 'OK'. -7. Click ‘Apply’ on the bottom right of the policy’s window. This option pushes the policy and blocks the target printer in future installations, but doesn’t apply to an existing install. +1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks the target printer in future installations, but doesn't apply to an existing install. -8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’. +1. Optionally, if you would like to apply the policy to an existing install, open the **Prevent installation of devices that match any of these device IDs** policy again. In the 'Options' window, mark the checkbox that says 'Also apply to matching devices that are already installed'. ### Testing the scenario @@ -425,12 +424,11 @@ If you completed step #8 above and restarted the machine, look for your printer If you haven't completed step #8, follow these steps: -1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. +1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device". -2. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app. - -3. You shouldn't be able to reinstall the printer. +1. For USB printer, unplug and plug back the cable; for network device, make a search for the printer in the Windows Settings app. +1. You shouldn't be able to reinstall the printer. ## Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed @@ -442,67 +440,66 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Disable all previous Device Installation policies, and enable ‘Apply layered order of evaluation’. +1. Disable all previous Device Installation policies, and enable 'Apply layered order of evaluation'. -3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters. +1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters. -4. Have a USB/network printer available to test the policy with. +1. Have a USB/network printer available to test the policy with. -### Scenario steps – preventing installation of an entire class while allowing a specific printer +### Scenario steps - preventing installation of an entire class while allowing a specific printer -Getting the device identifier for both the Printer Class and a specific printer – following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario: +Getting the device identifier for both the Printer Class and a specific printer—following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario: - ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318} - Hardware ID = WSDPRINT\CanonMX920_seriesC1A0 -First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one: +First create a 'Prevent Class' policy and then create 'Allow Device' one: -1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Make sure all policies are disabled +1. Make sure all policies are disabled -4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block. -6. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} +1. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won't work): {4d36e979-e325-11ce-bfc1-08002be10318} ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ -7. Click ‘OK’. +1. Click 'OK'. -8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs. +1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs. -9. To complete the coverage of all future and existing printers – Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’ +1. To complete the coverage of all future and existing printers, open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK' -10. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device. +1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it—this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device. - ![Image of Local Group Policy Editor that shows the policies under "Device Installation Restrictions" and the policy named in this step.](images/device-installation-apply-layered_policy-1.png) + :::image type="content" alt-text="Screenshot of Local Group Policy Editor that shows the policies under Device Installation Restrictions and the policy named in this step." source="images/device-installation-apply-layered_policy-1.png" lightbox="images/device-installation-apply-layered_policy-1.png"::: - ![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.".](images/device-installation-apply-layered-policy-2.png)
_Apply layered order of evaluation policy_ + [![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.](images/device-installation-apply-layered-policy-2.png)](images/device-installation-apply-layered-policy-2.png#lightbox)
_Apply layered order of evaluation policy_ -9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. +1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button. -10. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow. -11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0. +1. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0. ![Allow Printer Hardware ID.](images/device-installation-gpo-allow-device-id-list-printer.png)
_Allow Printer Hardware ID_ -12. Click ‘OK’. +1. Click 'OK'. -13. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and allows the target printer to be installed (or stayed installed). +1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and allows the target printer to be installed (or stayed installed). ## Testing the scenario 1. Look for your printer under Device Manager or the Windows Settings app and see that it's still there and accessible. Or just print a test document. -2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer – you shouldn't be bale to print anything or able to access the printer at all. - +1. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer—you shouldn't be bale to print anything or able to access the printer at all. ## Scenario #4: Prevent installation of a specific USB device @@ -514,67 +511,65 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section -2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario) – although the policy is disabled in default, it's recommended to be enabled in most practical applications. +1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation'. This prerequisite is optional to be On/Off this scenario. Although the policy is disabled in default, it's recommended to be enabled in most practical applications. -### Scenario steps – preventing installation of a specific device +### Scenario steps - preventing installation of a specific device Getting the right device identifier to prevent it from being installed and its location in the PnP tree: 1. Connect a USB thumb drive to the machine -2. Open Device Manager +1. Open Device Manager + +1. Find the USB thumb-drive and select it. -3. Find the USB thumb-drive and select it. - ![Selecting the usb thumb-drive in Device Manager.](images/device-installation-dm-usb-by-device.png)
_Selecting the usb thumb-drive in Device Manager_ -4. Change View (in the top menu) to ‘Devices by connections’. This view represents the way devices are installed in the PnP tree. +1. Change View (in the top menu) to 'Devices by connections'. This view represents the way devices are installed in the PnP tree. ![Changing view in Device Manager to see the PnP connection tree.](images/device-installation-dm-usb-by-connection.png)
_Changing view in Device Manager to see the PnP connection tree_ > [!NOTE] - > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a “Generic USB Hub” from being installed, all the devices that lay below a “Generic USB Hub” will be blocked. - + > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a "Generic USB Hub" from being installed, all the devices that lay below a "Generic USB Hub" will be blocked. + ![Blocking nested devices from the root.](images/device-installation-dm-usb-by-connection-blocked.png)
_When blocking one device, all the devices that are nested below it will be blocked as well_ -5. Double-click the USB thumb-drive and move to the ‘Details’ tab. +1. Double-click the USB thumb-drive and move to the 'Details' tab. + +1. From the 'Value' window, copy the most detailed Hardware ID-we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 -6. From the ‘Value’ window, copy the most detailed Hardware ID—we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 - ![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)
_USB device hardware IDs_ Creating the policy to prevent a single USB thumb-drive from being installed: -1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor and either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button. -4. In the lower left side, in the ‘Options’ window, click the ‘Show’ box. This option will take you to a table where you can enter the device identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show' box. This option will take you to a table where you can enter the device identifier to block. + +1. Enter the USB thumb-drive device ID you found above—`USBSTOR\DiskGeneric_Flash_Disk______8.07`. -5. Enter the USB thumb-drive device ID you found above – USBSTOR\DiskGeneric_Flash_Disk______8.07 - ![Prevent Device IDs list.](images/device-installation-gpo-prevent-device-id-list-usb.png)
_Prevent Device IDs list_ -6. Click ‘OK’. +1. Click 'OK'. -7. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn’t apply to an existing install. - -8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window, mark the checkbox that says ‘also apply to matching devices that are already installed’ +1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn't apply to an existing install. +1. Optional - if you would like to apply the policy to an existing install, open the **Prevent installation of devices that match any of these device IDs** policy again. In the 'Options' window, mark the checkbox that says 'also apply to matching devices that are already installed'. ### Testing the scenario -1. If you haven't completed step #8 – follow these steps: +1. If you haven't completed step #8, follow these steps: - - Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click “Uninstall device”. + - Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click "Uninstall device". - You shouldn't be able to reinstall the device. -2. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use. - +1. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use. ## Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive @@ -586,15 +581,15 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Disable all previous Device Installation policies, and **enable** ‘Apply layered order of evaluation’. +1. Disable all previous Device Installation policies, and **enable** 'Apply layered order of evaluation'. -3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters. +1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters. -4. Have a USB thumb-drive available to test the policy with. +1. Have a USB thumb-drive available to test the policy with. -### Scenario steps – preventing installation of all USB devices while allowing only an authorized USB thumb-drive +### Scenario steps - preventing installation of all USB devices while allowing only an authorized USB thumb-drive -Getting the device identifier for both the USB Classes and a specific USB thumb-drive – following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario: +Getting the device identifier for both the USB Classes and a specific USB thumb-drive and following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario: - USB Bus Devices (hubs and host controllers) - Class = USB @@ -610,16 +605,16 @@ Getting the device identifier for both the USB Classes and a specific USB thumb- As mentioned in scenario #4, it's not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well: -- “Intel(R) USB 3.0 eXtensible Host Controller – 1.0 (Microsoft)” -> PCI\CC_0C03 -- “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30 -- “Generic USB Hub” -> USB\USB20_HUB - +- "Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft)" -> PCI\CC_0C03 +- "USB Root Hub (USB 3.0)" -> USB\ROOT_HUB30 +- "Generic USB Hub" -> USB\USB20_HUB + ![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)
_USB devices nested under each other in the PnP tree_ These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't enable any external/peripheral device from being installed on the machine. > [!IMPORTANT] -> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. See below for the list: +> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an 'Allow list' in such cases. See below for the list: > > PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/ > USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/ @@ -629,49 +624,49 @@ These devices are internal devices on the machine that define the USB port conne > > Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done. -First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one: +First create a 'Prevent Class' policy and then create 'Allow Device' one: -1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor: either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Make sure all policies are disabled +1. Make sure all policies are disabled -4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block. -6. Enter both USB classes GUID you found above with the curly braces: +1. Enter both USB classes GUID you found above with the curly braces: > {36fc9e60-c465-11cf-8056-444553540000}/ - > {88BAE032-5A81-49f0-BC3D-A4FF138216D6} + > {88BAE032-5A81-49f0-BC3D-A4FF138216D6} -7. Click ‘OK’. +1. Click 'OK'. -8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future USB device installations, but doesn’t apply to existing installs. +1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks all future USB device installations, but doesn't apply to existing installs. > [!IMPORTANT] > The previous step prevents all future USB devices from being installed. Before you move to the next step make sure you have as complete list as possible of all the USB Host Controllers, USB Root Hubs and Generic USB Hubs Device IDs available to prevent blocking you from interacting with your system through keyboards and mice. -9. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device. +1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it. This policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device. ![Apply layered order of evaluation policy.](images/device-installation-apply-layered_policy-1.png)
_Apply layered order of evaluation policy_ -10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. +1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button. -11. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow. -12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation – USBSTOR\DiskGeneric_Flash_Disk______8.07 +1. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation—`USBSTOR\DiskGeneric_Flash_Disk______8.07`. ![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs.".](images/device-installation-gpo-allow-device-id-list-usb.png)
_Allowed USB Device IDs list_ -13. Click ‘OK’. +1. Click 'OK'. -14. Click ‘Apply’ on the bottom right of the policy’s window. +1. Click 'Apply' on the bottom right of the policy's window. -15. To apply the ‘Prevent’ coverage of all currently installed USB devices – Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’. +1. To apply the 'Prevent' coverage of all currently installed USB devices, open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'. ### Testing the scenario diff --git a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md new file mode 100644 index 0000000000..a0af81bb73 --- /dev/null +++ b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md @@ -0,0 +1,44 @@ +--- +title: Manage the Settings app with Group Policy +description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. +ms.prod: windows-client +author: vinaypamnani-msft +ms.date: 04/13/2023 +ms.reviewer: +manager: aaroncz +ms.author: vinpa +ms.topic: article +ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +- ✅ Windows Server 2016 +--- + +# Manage the Settings app with Group Policy + +You can manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. + +> [!NOTE] +> To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. Each server that you want to manage access to the Settings App must be patched. + +If your organization uses the [Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for Group Policy management, to manage the policies, copy the ControlPanel.admx and ControlPanel.adml file to PolicyDefinitions folder. + +This policy is available for both User and Computer configurations. + +- **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. +- **User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. + +![Settings page visibility policy.](images/settings-page-visibility-gp.png) + +## Configuring the Group Policy + +The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). + +> [!IMPORTANT] +> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string. + +For example: + +- To show only the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **ShowOnly:Network-Proxy;Network-Ethernet**. +- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**. diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md similarity index 64% rename from windows/client-management/mandatory-user-profile.md rename to windows/client-management/client-tools/mandatory-user-profile.md index 6f1798eb0e..181e7485db 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/client-tools/mandatory-user-profile.md @@ -1,46 +1,44 @@ --- -title: Create mandatory user profiles (Windows 10 and Windows 11) +title: Create mandatory user profiles description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa -ms.date: 09/14/2021 +ms.date: 04/11/2023 ms.reviewer: manager: aaroncz ms.topic: article ms.collection: - - highpri - - tier2 +- highpri +- tier2 ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Create mandatory user profiles -**Applies to** - -- Windows 10 -- Windows 11 - -A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. +A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles. When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile. -User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile. +User profiles become mandatory profiles when the administrator renames the `NTuser.dat` file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile. ## Profile extension for each Windows version The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version. -| Client operating system version | Server operating system version | Profile extension | -| --- | --- | --- | -| Windows XP | Windows Server 2003
Windows Server 2003 R2 | none | -| Windows Vista
Windows 7 | Windows Server 2008
Windows Server 2008 R2 | v2 | -| Windows 8 | Windows Server 2012 | v3 | -| Windows 8.1 | Windows Server 2012 R2 | v4 | -| Windows 10, versions 1507 and 1511 | N/A | v5 | -| Windows 10, versions 1607, 1703, 1709, 1803, 1809, 1903 and 1909 | Windows Server 2016 and Windows Server 2019 | v6 | +| Client operating system version | Server operating system version | Profile extension | +|-------------------------------------|-------------------------------------------------|-------------------| +| Windows XP | Windows Server 2003
Windows Server 2003 R2 | none | +| Windows Vista
Windows 7 | Windows Server 2008
Windows Server 2008 R2 | v2 | +| Windows 8 | Windows Server 2012 | v3 | +| Windows 8.1 | Windows Server 2012 R2 | v4 | +| Windows 10, versions 1507 and 1511 | N/A | v5 | +| Windows 10, versions 1607 and later | Windows Server 2016 and Windows Server 2019 | v6 | For more information, see [Deploy Roaming User Profiles, Appendix B](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](/troubleshoot/windows-server/user-profiles-and-logon/roaming-user-profiles-versioning). @@ -50,33 +48,33 @@ First, you create a default user profile with the customizations that you want, ### How to create a default user profile -1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account. +1. Sign in to a computer running Windows as a member of the local Administrator group. Do not use a domain account. > [!NOTE] - > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. + > Use a lab or extra computer running a clean installation of Windows to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. 1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. > [!NOTE] > Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics). -1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. +1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. -1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](/windows/application-management/apps-in-windows-10). +1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/apps-in-windows-10). > [!NOTE] > It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times. 1. At a command prompt, type the following command and press **ENTER**. - ```console + ```cmd sysprep /oobe /reboot /generalize /unattend:unattend.xml ``` - (Sysprep.exe is located at: C:\\Windows\\System32\\sysprep. By default, Sysprep looks for unattend.xml in this same folder.) + (Sysprep.exe is located at: `C:\Windows\System32\sysprep`. By default, Sysprep looks for `unattend.xml` in the same folder.) > [!TIP] - > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following: + > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open `%WINDIR%\System32\Sysprep\Panther\setupact.log` and look for an entry like the following: > > ![Microsoft Bing Translator package error.](images/sysprep-error.png) > @@ -88,7 +86,6 @@ First, you create a default user profile with the customizations that you want, 1. In **User Profiles**, click **Default Profile**, and then click **Copy To**. - ![Example of User Profiles UI.](images/copy-to.png) 1. In **Copy To**, under **Permitted to use**, click **Change**. @@ -97,7 +94,7 @@ First, you create a default user profile with the customizations that you want, 1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**. -1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607. +1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with `.v6` to identify it as a user profile folder for Windows 10, version 1607 or later. - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. @@ -105,8 +102,6 @@ First, you create a default user profile with the customizations that you want, - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. - ![Example of Copy To UI with UNC path.](images/copy-to-path.png) - 1. Click **OK** to copy the default user profile. ### How to make the user profile mandatory @@ -137,7 +132,7 @@ In a domain, you modify properties for the user account to point to the mandator 1. Right-click the user name and open **Properties**. -1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\\profile.v6, you would enter \\\\*server*\\profile. +1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is `\\server\share\profile.v6`, you would enter `\\server\share\profile`. 1. Click **OK**. @@ -145,16 +140,16 @@ It may take some time for this change to replicate to all domain controllers. ## Apply policies to improve sign-in time -When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. (The table shows which operating system versions each policy setting can apply to.) +When a user is configured with a mandatory profile, Windows starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. -| Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 | -| --- | --- | --- | --- | --- | -| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | -| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | -| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported.](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | +| Group Policy setting | Windows 10 | Windows Server 2016 | +|-----------------------------------------------------------------------------------------------------------------------------------------------|:----------:|:-------------------:| +| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ✅ | ✅ | +| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ✅ | ✅ | +| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ✅ | ❌ | > [!NOTE] -> The Group Policy settings above can be applied in Windows 10 Professional edition. +> The Group Policy settings above can be applied in Windows Professional edition. ## Related topics diff --git a/windows/client-management/quick-assist.md b/windows/client-management/client-tools/quick-assist.md similarity index 96% rename from windows/client-management/quick-assist.md rename to windows/client-management/client-tools/quick-assist.md index 4e59e30993..9997673adf 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/client-tools/quick-assist.md @@ -1,6 +1,7 @@ --- title: Use Quick Assist to help users description: Learn how IT Pros can use Quick Assist to help users. +ms.date: 04/11/2023 ms.prod: windows-client ms.topic: article ms.technology: itpro-manage @@ -10,12 +11,11 @@ ms.author: vinpa manager: aaroncz ms.reviewer: pmadrigal appliesto: - - ✅ Windows 10 and later - - ✅ Windows 11 and later +- ✅ Windows 11 +- ✅ Windows 10 ms.collection: - - highpri - - tier1 -ms.date: 03/06/2023 +- highpri +- tier1 --- # Use Quick Assist to help users @@ -26,9 +26,6 @@ Quick Assist is a Microsoft Store application that enables a person to share the All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate. -> [!IMPORTANT] -> Quick Assist is not available in the Azure Government cloud. - ### Authentication The helper can authenticate when they sign in by using a Microsoft account (MSA) or Azure Active Directory (Azure AD). Local Active Directory authentication isn't currently supported. diff --git a/windows/client-management/client-tools/toc.yml b/windows/client-management/client-tools/toc.yml new file mode 100644 index 0000000000..311cb0c84f --- /dev/null +++ b/windows/client-management/client-tools/toc.yml @@ -0,0 +1,19 @@ +items: + - name: Windows Tools/Administrative Tools + href: administrative-tools-in-windows.md + - name: Use Quick Assist to help users + href: quick-assist.md + - name: Connect to remote Azure Active Directory-joined PC + href: connect-to-remote-aadj-pc.md + - name: Create mandatory user profiles + href: mandatory-user-profile.md + - name: Manage Device Installation with Group Policy + href: manage-device-installation-with-group-policy.md + - name: Manage the Settings app with Group Policy + href: manage-settings-app-with-group-policy.md + - name: Manage default media removal policy + href: change-default-removal-policy-external-storage-media.md + - name: What version of Windows am I running + href: windows-version-search.md + - name: Windows libraries + href: windows-libraries.md diff --git a/windows/client-management/windows-libraries.md b/windows/client-management/client-tools/windows-libraries.md similarity index 72% rename from windows/client-management/windows-libraries.md rename to windows/client-management/client-tools/windows-libraries.md index 89b5f46cfd..12e7efd5db 100644 --- a/windows/client-management/windows-libraries.md +++ b/windows/client-management/client-tools/windows-libraries.md @@ -1,26 +1,30 @@ --- -ms.reviewer: -manager: aaroncz title: Windows Libraries +description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. ms.prod: windows-client +author: vinaypamnani-msft ms.author: vinpa -ms.manager: dongill +manager: aaroncz +ms.reviewer: ms.technology: itpro-manage ms.topic: article -author: vinaypamnani-msft -description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. -ms.date: 09/15/2021 +ms.date: 04/11/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +- ✅ Windows Server 2022 +- ✅ Windows Server 2019 +- ✅ Windows Server 2016 --- # Windows libraries -> Applies to: Windows 10, Windows 11, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 - -Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location. +Libraries are virtual containers for users' content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location. ## Features for Users Windows libraries are backed by full content search and rich metadata. Libraries offer the following advantages to users: + - Aggregate content from multiple storage locations into a single, unified presentation. - Enable users to stack and group library contents based on metadata. - Enable fast, full-text searches across multiple storage locations, from Windows Explorer or from the Start menu. @@ -30,6 +34,7 @@ Windows libraries are backed by full content search and rich metadata. Libraries ## Features for Administrators Administrators can configure and control Windows libraries in the following methods: + - Create custom libraries by creating and deploying Library Description (*.library-ms) files. - Hide or delete the default libraries. (The Library node itself can't be hidden or deleted from the Windows Explorer navigation pane.) - Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User. @@ -48,6 +53,7 @@ Including a folder in a library doesn't physically move or change the storage lo ### Default Libraries and Known Folders The default libraries include: + - Documents - Music - Pictures @@ -64,16 +70,17 @@ Users or administrators can hide or delete the default libraries, though the lib Each library has a default save location. Files are saved or copied to this location if the user chooses to save or copy a file to a library, rather than a specific location within the library. Known folders are the default save locations; however, users can select a different save location. If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations can't be saved to, then the save operation fails. -### Indexing Requirements and “Basic” Libraries +### Indexing Requirements and "Basic" Libraries Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing isn't enabled for one or more locations within a library, the entire library reverts to basic functionality: + - No support for metadata browsing via **Arrange By** views. - Grep-only searches. - Grep-only search suggestions. The only properties available for input suggestions are **Date Modified** and **Size**. - No support for searching from the Start menu. Start menu searches don't return files from basic libraries. - No previews of file snippets for search results returned in Content mode. -To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that aren't indexed remotely can be added to the local index using Offline File synchronization. This feature gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folder’s files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations that aren't indexed remotely and aren't using folder redirection to gain the benefits of being indexed locally. +To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that aren't indexed remotely can be added to the local index using Offline File synchronization. This feature gives the user the benefits of local storage even though the location is remote. Making a folder "Always available offline" creates a local copy of the folder's files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations that aren't indexed remotely and aren't using folder redirection to gain the benefits of being indexed locally. For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_EnableIndexLocations). @@ -81,20 +88,20 @@ If your environment doesn't support caching files locally, you should enable the ### Folder Redirection -While library files themselves can't be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side. +While library files themselves can't be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the "My Documents" folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side. ### Supported storage locations The following table shows which locations are supported in Windows libraries. -|Supported Locations|Unsupported Locations| -|---|---| -|Fixed local volumes (NTFS/FAT)|Removable drives| -|Shares that are indexed (departmental servers*, Windows home PCs)|Removable media (such as DVDs)

Network shares that are accessible through DFS Namespaces or are part of a failover cluster| -|Shares that are available offline (redirected folders that use Offline Files)|Network shares that aren't available offline or remotely indexed

Network Attached Storage (NAS) devices| -||Other data sources: SharePoint, Exchange, etc.| +| Supported Locations | Unsupported Locations | +|--|--| +| Fixed local volumes (NTFS/FAT) | Removable drives | +| Shares that are indexed (departmental servers*, Windows home PCs) | Removable media (such as DVDs)

Network shares that are accessible through DFS Namespaces or are part of a failover cluster | +| Shares that are available offline (redirected folders that use Offline Files) | Network shares that aren't available offline or remotely indexed

Network Attached Storage (NAS) devices | +| | Other data sources: SharePoint, Exchange, etc. | -\* For shares that are indexed on a departmental server, Windows Search works well in workgroups or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics: +\* For shares that are indexed on a departmental server, Windows Search works well in a workgroup or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics: - Expected maximum load is four concurrent query requests. - Expected indexing corpus is a maximum of one million documents. @@ -104,6 +111,7 @@ The following table shows which locations are supported in Windows libraries. ### Library Attributes The following library attributes can be modified within Windows Explorer, the Library Management dialog, or the Library Description file (*.library-ms): + - Name - Library locations - Order of library locations @@ -111,7 +119,7 @@ The following library attributes can be modified within Windows Explorer, the Li The library icon can be modified by the administrator or user by directly editing the Library Description schema file. -See the [Library Description Schema](/windows/win32/shell/library-schema-entry) topic on MSDN for information on creating Library Description files. +See [Library Description Schema](/windows/win32/shell/library-schema-entry) for information on creating Library Description files. ## See also @@ -127,4 +135,4 @@ See the [Library Description Schema](/windows/win32/shell/library-schema-entry) ### Other resources - [Folder Redirection, Offline Files, and Roaming User Profiles](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)) -- [Library Description Schema](/windows/win32/shell/library-schema-entry) \ No newline at end of file +- [Library Description Schema](/windows/win32/shell/library-schema-entry) diff --git a/windows/client-management/client-tools/windows-version-search.md b/windows/client-management/client-tools/windows-version-search.md new file mode 100644 index 0000000000..42f0454fa7 --- /dev/null +++ b/windows/client-management/client-tools/windows-version-search.md @@ -0,0 +1,54 @@ +--- +title: What version of Windows am I running? +description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. +ms.prod: windows-client +author: vinaypamnani-msft +ms.author: vinpa +ms.date: 04/13/2023 +ms.reviewer: +manager: aaroncz +ms.topic: troubleshooting +ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +--- + +# What version of Windows am I running? + +The [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) build of Windows doesn't contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. It's important to remember that the LTSC model is primarily for specialized devices. + +In the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels), you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment. + +To determine if your device is enrolled in the Long-Term Servicing Channel or the General Availability Channel, you'll need to know what version of Windows you're running. There are a few ways to figure this out. Each method provides a different set of details, so it's useful to learn about all of them. + +## System Properties + +Select **Start** > **Settings** > **System**, then select **About**. You'll then see **Edition**, **Version**, and **OS Build** information. + +:::image type="content" source="images/systemcollage.png" alt-text="screenshot of the system properties window for a device running Windows 10."::: + +## Using Keyword Search + +You can type the following in the search bar and press **ENTER** to see version details for your device. + +- **"winver"**: + + :::image type="content" source="images/winver.png" alt-text="screenshot of the About Windows display text."::: + +- **"msinfo"** or **"msinfo32"** to open **System Information**: + + :::image type="content" source="images/msinfo32.png" alt-text="screenshot of the System Information display text."::: + +> [!TIP] +> You can also use `winver` or `msinfo32` commands at the command prompt. + +## Using Command Prompt or PowerShell + +- At the PowerShell or Command Prompt, type `systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"` and then press **ENTER** + + :::image type="content" source="images/refcmd.png" alt-text="screenshot of system information display text."::: + +- At the PowerShell or Command Prompt, type `slmgr /dlv`, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below: + + :::image type="content" source="images/slmgr-dlv.png" alt-text="screenshot of software licensing manager."::: diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md index 56b72cdf0a..2e86f60f6a 100644 --- a/windows/client-management/config-lock.md +++ b/windows/client-management/config-lock.md @@ -8,14 +8,12 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 05/24/2022 +appliesto: +- ✅ Windows 11 --- # Secured-core PC configuration lock -**Applies to** - -- Windows 11 - In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. Secured-core configuration lock (config lock) is a new [secured-core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC. @@ -77,7 +75,7 @@ Config lock is designed to ensure that a secured-core PC isn't unintentionally m - Can I disable config lock? Yes. You can use MDM to turn off config lock completely or put it in temporary unlock mode for helpdesk activities. -### List of locked policies +## List of locked policies |**CSPs** | |-----| diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md index 4c730c626d..9680e7249e 100644 --- a/windows/client-management/device-update-management.md +++ b/windows/client-management/device-update-management.md @@ -1,6 +1,6 @@ --- title: Mobile device management MDM for device updates -description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. +description: Windows provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -8,10 +8,13 @@ ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 11/15/2017 +ms.date: 04/05/2023 ms.collection: - - highpri - - tier2 +- highpri +- tier2 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Mobile device management (MDM) for device updates @@ -19,38 +22,34 @@ ms.collection: >[!TIP] >If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq). -With PCs, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we're investing heavily in extending the management capabilities available to MDMs. One key feature we're adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates. +With PCs, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows, we're investing heavily in extending the management capabilities available to MDMs. One key feature we're adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates. -In particular, Windows 10 provides APIs to enable MDMs to: +In particular, Windows provides APIs to enable MDMs to: -- Ensure machines stay up to date by configuring Automatic Update policies. -- Test updates on a smaller set of machines by configuring which updates are approved for a given device. Then, do an enterprise-wide rollout. -- Get compliance status of managed devices. IT can understand which machines still need a security patch, or how current is a particular machine. +- Ensure machines stay up to date by configuring Automatic Update policies. +- Test updates on a smaller set of machines by configuring which updates are approved for a given device. Then, do an enterprise-wide rollout. +- Get compliance status of managed devices. IT can understand which machines still need a security patch, or how current is a particular machine. +- Configure automatic update policies to ensure devices stay up to date. +- Get device compliance information (the list of updates that are needed but not yet installed). +- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested. +- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs. -This article provides independent software vendors (ISV) with the information they need to implement update management in Windows 10. +This article provides independent software vendors (ISV) with the information they need to implement update management in Windows. For more information, see [Policy CSP - Update](mdm/policy-csp-update.md). -In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to: - -- Configure automatic update policies to ensure devices stay up to date. -- Get device compliance information (the list of updates that are needed but not yet installed). -- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested. -- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs. - -The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update’s title, description, KB, update type, like a security update or service pack. For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c). - -For more information about the CSPs, see [Update CSP](mdm/update-csp.md) and the update policy area of the [Policy CSP](mdm/policy-configuration-service-provider.md). +> [!NOTE] +> The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update's title, description, KB, update type, like a security update or service pack. For more information, see [[MS-WSUSSS]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c). The following diagram provides a conceptual overview of how this works: -![mobile device update management.](images/mdm-update-sync.png) +:::image type="content" source="images/mdm-update-sync.png" alt-text="mobile device update management."::: The diagram can be roughly divided into three areas: -- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram). -- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram). -- The device gets updates from Microsoft Update using client/server protocol. It only downloads and installs updates that apply to the device and are approved by IT (right portion of the diagram). +- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram). +- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram). +- The device gets updates from Microsoft Update using client/server protocol. It only downloads and installs updates that apply to the device and are approved by IT (right portion of the diagram). -## Getting update metadata using the Server-Server sync protocol +## Getting update metadata using the Server-Server sync protocol The Microsoft Update Catalog contains many updates that aren't needed by MDM-managed devices. It includes updates for legacy software, like updates to servers, down-level desktop operating systems, & legacy apps, and a large number of drivers. We recommend MDMs use the Server-Server sync protocol to get update metadata for updates reported from the client. @@ -60,40 +59,39 @@ This section describes this setup. The following diagram shows the server-server MSDN provides much information about the Server-Server sync protocol. In particular: -- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development. -- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`. +- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development. +- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it's even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`. Some important highlights: -- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how authorization is done. Even though it's called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired. -- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision numbers is `./Vendor/MSFT/Update/InstallableUpdates?list=StructData`. Because not all updates are available via S2S sync, make sure you handle SOAP errors. -- For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process). +- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how authorization is done. Even though it's called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired. +- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision numbers is `./Vendor/MSFT/Update/InstallableUpdates?list=StructData`. Because not all updates are available via S2S sync, make sure you handle SOAP errors. +- For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process). > [!NOTE] -> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, and so on). Each time such a change is made that doesn’t affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number). +> Over time, Microsoft Update modifies metadata for a given update, for example, by updating descriptive information, fixing bugs in applicability rules, making localization changes, and so on. Each time a change occurs that doesn't affect the update itself, a new update revision is created. An UpdateID (GUID) and a RevisionNumber (int) compounds to comprise an identity key for an update revision. The MDM doesn't present an update revision to IT. Instead, for each UpdateID (GUID) the MDM keeps the metadata for the later revision of that update, which is the one with the highest revision number. - -## Examples of update metadata XML structure and element descriptions +### Examples of update metadata XML structure and element descriptions The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). Some of the key elements are described below: -- **UpdateID** – The unique identifier for an update -- **RevisionNumber** – Revision number for the update in case the update was modified. -- **CreationDate** – the date on which this update was created. -- **UpdateType** – The type of update, which could include the following: - - **Detectoid** – if this update identity represents a compatibility logic - - **Category** – This element could represent either of the following: - - A Product category the update belongs to. For example, Windows, MS office, and so on. - - The classification the update belongs to. For example, drivers, security, and so on. - - **Software** – If the update is a software update. - - **Driver** – if the update is a driver update. -- **LocalizedProperties** – represents the language the update is available in, title and description of the update. It has the following fields: - - **Language** – The language code identifier (LCID). For example, en or es. - - **Title** – Title of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)” - - **Description** – Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed.” -- **KBArticleID** – The KB article number for this update that has details about the particular update. For example, `https://support.microsoft.com/kb/2902892`. +- **UpdateID** - The unique identifier for an update +- **RevisionNumber** - Revision number for the update in case the update was modified. +- **CreationDate** - The date on which this update was created. +- **UpdateType** - The type of update, which could include the following: + - **Detectoid** - If this update identity represents a compatibility logic + - **Category** - This element could represent either of the following: + - A Product category the update belongs to. For example, Windows, MS office, and so on. + - The classification the update belongs to. For example, drivers, security, and so on. + - **Software** - If the update is a software update. + - **Driver** - If the update is a driver update. +- **LocalizedProperties** - Represents the language the update is available in, title and description of the update. It has the following fields: + - **Language** - The language code identifier (LCID). For example, en or es. + - **Title** - Title of the update. For example, "Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)" + - **Description** - Description of the update. For example, "Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed." +- **KBArticleID** - The KB article number for this update that has details about the particular update. For example, `https://support.microsoft.com/kb/2902892`. -## Recommended Flow for Using the Server-Server Sync Protocol +### Recommended Flow for Using the Server-Server Sync Protocol This section describes a possible algorithm for using the server-server sync protocol to pull in update metadata to the MDM. @@ -103,782 +101,43 @@ First some background: - A metadata sync service can then be implemented. The service periodically calls server-server sync to pull in metadata for the updates IT cares about. - The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client, if those updates aren't already known to the device. - The following procedure describes a basic algorithm for a metadata sync service: -- Initialization uses the following steps: - a. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative. -- Sync periodically (we recommend once every 2 hours - no more than once/hour). - 1. Implement the authorization phase of the protocol to get a cookie if you don’t already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). - 2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and: - - Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB. - - If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one. - - Remove updates from the "needed update IDs to fault in" list once they've been brought in. +1. Create an empty list of "needed update IDs to fault in". This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative. +1. Sync periodically (we recommend once every 2 hours - no more than once/hour). + 1. Implement the authorization phase of the protocol to get a cookie if you don't already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). + 1. Implement the metadata portion of the protocol. See **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB. + - If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one. + - Remove updates from the "needed update IDs to fault in" list once they've been brought in. These steps get information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time, you can get information so IT can see what updates they're approving. Or, for compliance reports to see what updates are needed but not yet installed. -## Managing updates using OMA DM +## Managing updates using OMA DM An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented in [Mobile device management](mobile-device-enrollment.md). This section focuses on how to extend that integration to support update management. The key aspects of update management include the following information: -- Configure automatic update policies to ensure devices stay up to date. -- Get device compliance information (the list of updates that are needed but not yet installed) -- Specify a per-device update approval list. The list makes sure devices only install updates that are approved and tested. -- Approve EULAs for the end user so update deployment can be automated, even for updates with EULAs +- Configure automatic update policies to ensure devices stay up to date. +- Get device compliance information (the list of updates that are needed but not yet installed). +- Specify a per-device update approval list. The list makes sure devices only install updates that are approved and tested. +- Approve EULAs for the end user so update deployment can be automated, even for updates with EULAs. The following list describes a suggested model for applying updates. -1. Have a "Test Group" and an "All Group". -2. In the Test group, just let all updates flow. -3. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues. +1. Have a "Test Group" and an "All Group". +1. In the Test group, let all updates flow. +1. In the All Group, set the Quality Update deferral for seven days, and then, Quality Updates are auto approved after seven days. Quality Update deferrals exclude Definition Updates, so Definition Updates automatically are approved when they're available. Match the schedule for Definition Updates with the Quality Update deferral schedule by setting Update/DeferQualityUpdatesPeriodInDays to seven. Let updates flow after seven days or by pausing if any issues occur. -Updates are configured using a combination of the [Update CSP](mdm/update-csp.md), and the update portion of the [Policy CSP](mdm/policy-configuration-service-provider.md). +Updates are configured using the [Update Policy CSP](mdm/policy-csp-update.md). -### Update policies - -The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](mdm/policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP. - -The following information shows the Update policies in a tree format. - -```console -./Vendor/MSFT -Policy -----Config ---------Update ------------ActiveHoursEnd ------------ActiveHoursMaxRange ------------ActiveHoursStart ------------AllowAutoUpdate ------------AllowMUUpdateService ------------AllowNonMicrosoftSignedUpdate ------------AllowUpdateService ------------AutoRestartNotificationSchedule ------------AutoRestartRequiredNotificationDismissal ------------BranchReadinessLevel ------------DeferFeatureUpdatesPeriodInDays ------------DeferQualityUpdatesPeriodInDays ------------DeferUpdatePeriod ------------DeferUpgradePeriod ------------EngagedRestartDeadline ------------EngagedRestartSnoozeSchedule ------------EngagedRestartTransitionSchedule ------------ExcludeWUDriversInQualityUpdate ------------IgnoreMOAppDownloadLimit ------------IgnoreMOUpdateDownloadLimit ------------PauseDeferrals ------------PauseFeatureUpdates ------------PauseQualityUpdates ------------RequireDeferUpgrade ------------RequireUpdateApproval ------------ScheduleImminentRestartWarning ------------ScheduledInstallDay ------------ScheduledInstallTime ------------ScheduleRestartWarning ------------SetAutoRestartNotificationDisable ------------UpdateServiceUrl ------------UpdateServiceUrlAlternate -``` - -**Update/ActiveHoursEnd** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1607. When used with **Update/ActiveHoursStart**, it allows the IT admin to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time. - -> [!NOTE] -> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article. - -Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on. - -The default is 17 (5 PM). - -**Update/ActiveHoursMaxRange** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - -Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. - -Supported values are 8-18. - -The default value is 18 (hours). - -**Update/ActiveHoursStart** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - - -Added in Windows 10, version 1607. When used with **Update/ActiveHoursEnd**, it allows the IT admin to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time. - -> [!NOTE] -> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article. - -Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on. - -The default value is 8 (8 AM). - -**Update/AllowAutoUpdate** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - - -Enables the IT admin to manage automatic update behavior to scan, download, and install updates. - -Supported operations are Get and Replace. - -The following list shows the supported values: - -- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. -- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart. -- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default behavior for unmanaged devices. Devices are updated quickly. But, it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart. -- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. -- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only. -- 5 – Turn off automatic updates. - -> [!IMPORTANT] -> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. - - -If the policy isn't configured, end users get the default behavior (Auto install and restart). - -**Update/AllowMUUpdateService** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. - -The following list shows the supported values: - -- 0 – Not allowed or not configured. -- 1 – Allowed. Accepts updates received through Microsoft Update. - -**Update/AllowNonMicrosoftSignedUpdate** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education. - - -Allows the IT admin to manage if Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution. - -Supported operations are Get and Replace. - -The following list shows the supported values: - -- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. -- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate in the "Trusted Publishers" certificate store of the local computer. - -This policy is specific to desktop and local publishing using WSUS for third-party updates (binaries and updates not hosted on Microsoft Update). It allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. - -**Update/AllowUpdateService** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft. - -Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update. - -Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working. - -The following list shows the supported values: - -- 0 – Update service isn't allowed. -- 1 (default) – Update service is allowed. - -> [!NOTE] -> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. - - -**Update/AutoRestartNotificationSchedule** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. - -Supported values are 15, 30, 60, 120, and 240 (minutes). - -The default value is 15 (minutes). - -**Update/AutoRestartRequiredNotificationDismissal** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed. - -The following list shows the supported values: - -- 1 (default) – Auto Dismissal. -- 2 – User Dismissal. - -**Update/BranchReadinessLevel** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. - -The following list shows the supported values: - -- 16 (default) – User gets all applicable upgrades from Current Branch (CB). -- 32 – User gets upgrades from Current Branch for Business (CBB). - -**Update/DeferFeatureUpdatesPeriodInDays** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. - -Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. - -Supported values are 0-180. - -**Update/DeferQualityUpdatesPeriodInDays** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. - -Supported values are 0-30. - -**Update/DeferUpdatePeriod** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. - - -Allows IT Admins to specify update delays for up to four weeks. - -Supported values are 0-4, which refers to the number of weeks to defer updates. - -If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by**; and **Pause Updates and Upgrades** settings have no effect. - -If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect. - -- **Update category**: OS upgrade - - **Maximum deferral**: 8 months - - **Deferral increment**: 1 month - - **Update type/notes**: Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 - -- **Update category**: Update - - **Maximum deferral**: 1 month - - **Deferral increment**: 1 week - - **Update type/notes**: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. - - - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 - - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 - - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F - - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 - - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB - - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F - - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 - - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 - -- **Update category**: Other/cannot defer - - **Maximum deferral**: No deferral - - **Deferral increment**: No deferral - - **Update type/notes**: Any update category not enumerated above falls into this category. - - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B - -**Update/DeferUpgradePeriod** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. - - -Allows IT Admins to enter more upgrade delays for up to eight months. - -Supported values are 0-8, which refers to the number of months to defer upgrades. - -If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect. - -If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect. - -**Update/EngagedRestartDeadline** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, then the restart won't be automatically executed. It will remain Engaged restart (pending user scheduling). - -Supported values are 2-30 days. - -The default value is 0 days (not specified). - -**Update/EngagedRestartSnoozeSchedule** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications. - -Supported values are 1-3 days. - -The default value is three days. - -**Update/EngagedRestartTransitionSchedule** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. - -Supported values are 2-30 days. - -The default value is seven days. - -**Update/ExcludeWUDriversInQualityUpdate** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. - -Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. - -The following list shows the supported values: - -- 0 (default) – Allow Windows Update drivers. -- 1 – Exclude Windows Update drivers. - -**Update/IgnoreMOAppDownloadLimit** -Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. - -> [!WARNING] -> Setting this policy might cause devices to incur costs from MO operators. - -The following list shows the supported values: - -- 0 (default) – Don't ignore MO download limit for apps and their updates. -- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates. - -To validate this policy: - -1. Enable the policy ensure the device is on a cellular network. -2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: - - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f` - - - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""` - -3. Verify that any downloads that are above the download size limit will complete without being paused. - - -**Update/IgnoreMOUpdateDownloadLimit** -Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. - -> [!WARNING] -> Setting this policy might cause devices to incur costs from MO operators. - -The following list shows the supported values: - -- 0 (default) – Don't ignore MO download limit for OS updates. -- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. - -To validate this policy: - -1. Enable the policy and ensure the device is on a cellular network. -2. Run the scheduled task on the devices to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: - - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""` - -3. Verify that any downloads that are above the download size limit will complete without being paused. - - -**Update/PauseDeferrals** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. - - -Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks. - -The following list shows the supported values: - -- 0 (default) – Deferrals aren't paused. -- 1 – Deferrals are paused. - -If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect. - -If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect. - -**Update/PauseFeatureUpdates** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. - -Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. - -The following list shows the supported values: - -- 0 (default) – Feature Updates aren't paused. -- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. - -**Update/PauseQualityUpdates** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. - -The following list shows the supported values: - -- 0 (default) – Quality Updates aren't paused. -- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. - -**Update/RequireDeferUpgrade** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. - - -Allows the IT admin to set a device to CBB train. - -The following list shows the supported values: - -- 0 (default) – User gets upgrades from Current Branch. -- 1 – User gets upgrades from Current Branch for Business. - -**Update/RequireUpdateApproval** - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - -
- -> [!NOTE] -> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. - - -Allows the IT admin to restrict the updates that are installed on a device to only the updates on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update for the end user. EULAs are approved once an update is approved. - -Supported operations are Get and Replace. - -The following list shows the supported values: - -- 0 – Not configured. The device installs all applicable updates. -- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required before deployment. - -**Update/ScheduleImminentRestartWarning** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. - -Supported values are 15, 30, or 60 (minutes). - -The default value is 15 (minutes). - -**Update/ScheduledInstallDay** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Enables the IT admin to schedule the day of the update installation. - -The data type is a string. - -Supported operations are Add, Delete, Get, and Replace. - -The following list shows the supported values: - -- 0 (default) – Every day -- 1 – Sunday -- 2 – Monday -- 3 – Tuesday -- 4 – Wednesday -- 5 – Thursday -- 6 – Friday -- 7 – Saturday - -**Update/ScheduledInstallTime** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Enables the IT admin to schedule the time of the update installation. - -The data type is a string. - -Supported operations are Add, Delete, Get, and Replace. - -Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. - -The default value is 3. - -**Update/ScheduleRestartWarning** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications. - -Supported values are 2, 4, 8, 12, or 24 (hours). - -The default value is 4 (hours). - -**Update/SetAutoRestartNotificationDisable** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations. - -The following list shows the supported values: - -- 0 (default) – Enabled -- 1 – Disabled - -**Update/UpdateServiceUrl** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - -> [!Important] -> Starting in Windows 10, version 1703 this policy isn't supported in IoT Enterprise. - -Allows the device to check for updates from a WSUS server instead of Microsoft Update. Using WSUS is useful for on-premises MDMs that need to update devices that can't connect to the Internet. - -Supported operations are Get and Replace. - -The following list shows the supported values: - -- Not configured. The device checks for updates from Microsoft Update. -- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. - -Example - -```xml - - $CmdID$ - - - chr - text/plain - - - ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl - - http://abcd-srv:8530 - - -``` - -**Update/UpdateServiceUrlAlternate** - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - -Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. - -This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. - -To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. - -Value type is string and the default value is an empty string. If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, then the Automatic Updates client connects directly to the Windows Update site on the Internet. - -> [!Note] -> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. -> If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates. -> This policy isn't supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. - -### Update management - -The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](mdm/update-csp.md). The following information shows the Update CSP in tree format. - -```console -./Vendor/MSFT -Update -----ApprovedUpdates ---------Approved Update Guid -------------ApprovedTime -----FailedUpdates ---------Failed Update Guid -------------HResult -------------Status -------------RevisionNumber -----InstalledUpdates ---------Installed Update Guid -------------RevisionNumber -----InstallableUpdates ---------Installable Update Guid -------------Type -------------RevisionNumber -----PendingRebootUpdates ---------Pending Reboot Update Guid -------------InstalledTime -------------RevisionNumber -----LastSuccessfulScanTime -----DeferUpgrade -----Rollback ---------QualityUpdate ---------FeatureUpdate ---------QualityUpdateStatus ---------FeatureUpdateStatus -``` - -**Update** -The root node. - -Supported operation is Get. - -**ApprovedUpdates** -Node for update approvals and EULA acceptance for the end user. - -> [!NOTE] -> When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. - -The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to present the EULA is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update. - -The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (updates to the virus and spyware definitions on devices) and Security Updates (product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstall of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs because of changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. - -> [!NOTE] -> For the Windows 10 build, the client may need to reboot after additional updates are added. - - - -Supported operations are Get and Add. - -**ApprovedUpdates/***Approved Update Guid* -Specifies the update GUID. - -To auto-approve a class of updates, you can specify the [Update Classifications](/previous-versions/windows/desktop/ff357803(v=vs.85)) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. - -Supported operations are Get and Add. - -Sample syncml: - -``` -./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d -``` - -**ApprovedUpdates/*Approved Update Guid*/ApprovedTime** -Specifies the time the update gets approved. - -Supported operations are Get and Add. - -**FailedUpdates** -Specifies the approved updates that failed to install on a device. - -Supported operation is Get. - -**FailedUpdates/***Failed Update Guid* -Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. - -Supported operation is Get. - -**FailedUpdates/*Failed Update Guid*/HResult** -The update failure error code. - -Supported operation is Get. - -**FailedUpdates/*Failed Update Guid*/Status** -Specifies the failed update status (for example, download, install). - -Supported operation is Get. - -**InstalledUpdates** -The updates that are installed on the device. - -Supported operation is Get. - -**InstalledUpdates/***Installed Update Guid* -UpdateIDs that represent the updates installed on a device. - -Supported operation is Get. - -**InstallableUpdates** -The updates that are applicable and not yet installed on the device. This information includes updates that aren't yet approved. - -Supported operation is Get. - -**InstallableUpdates/***Installable Update Guid* -Update identifiers that represent the updates applicable and not installed on a device. - -Supported operation is Get. - -**InstallableUpdates/*Installable Update Guid*/Type** -The UpdateClassification value of the update. Valid values are: - -- 0 - None -- 1 - Security -- 2 = Critical - -Supported operation is Get. - -**InstallableUpdates/*Installable Update Guid*/RevisionNumber** -The revision number for the update that must be passed in server to server sync to get the metadata for the update. - -Supported operation is Get. - -**PendingRebootUpdates** -The updates that require a reboot to complete the update session. - -Supported operation is Get. - -**PendingRebootUpdates/***Pending Reboot Update Guid* -Update identifiers for the pending reboot state. - -Supported operation is Get. - -**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime** -The time the update is installed. - -Supported operation is Get. - -**LastSuccessfulScanTime** -The last successful scan time. - -Supported operation is Get. - -**DeferUpgrade** -Upgrades deferred until the next period. - -Supported operation is Get. - - -## Windows 10, version 1607 for update management - -Here are the new policies added in Windows 10, version 1607 in [Policy CSP](mdm/policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices. - -- Update/ActiveHoursEnd -- Update/ActiveHoursStart -- Update/AllowMUUpdateService -- Update/BranchReadinessLevel -- Update/DeferFeatureUpdatePeriodInDays -- Update/DeferQualityUpdatePeriodInDays -- Update/ExcludeWUDriversInQualityUpdate -- Update/PauseFeatureUpdates -- Update/PauseQualityUpdates - -Here's the list of corresponding Group Policy settings in HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate. - -|GPO key|Type|Value| -|--- |--- |--- | -|BranchReadinessLevel|REG_DWORD|16: systems take Feature Updates on the Current Branch (CB) train

32: systems take Feature Updates on the Current Branch for Business

Other value or absent: receive all applicable updates (CB)| -|DeferQualityUpdates|REG_DWORD|1: defer quality updates

Other value or absent: don’t defer quality updates| -|DeferQualityUpdatesPeriodInDays|REG_DWORD|0-30: days to defer quality updates| -|PauseQualityUpdates|REG_DWORD|1: pause quality updates

Other value or absent: don’t pause quality updates| -|DeferFeatureUpdates|REG_DWORD|1: defer feature updates

Other value or absent: don’t defer feature updates| -|DeferFeatureUpdatesPeriodInDays|REG_DWORD|0-180: days to defer feature updates| -|PauseFeatureUpdates|REG_DWORD|1: pause feature updates

Other value or absent: don’t pause feature updates| -|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude Windows Update drivers

Other value or absent: offer Windows Update drivers| - -Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices. - -- Update/RequireDeferUpgrade -- Update/DeferUpgradePeriod -- Update/DeferUpdatePeriod -- Update/PauseDeferrals - -## Update management user experience screenshot +### Update management user experience screenshot The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields. -![mdm update management screenshot.](images/deviceupdatescreenshot1.png) +:::image type="content" source="images/deviceupdatescreenshot1.png" alt-text="mdm update management screenshot."::: -![mdm update management metadata screenshot.](images/deviceupdatescreenshot2.png) +:::image type="content" source="images/deviceupdatescreenshot2.png" alt-text="mdm update management metadata screenshot."::: - -## SyncML example +### SyncML example Set auto update to notify and defer. @@ -929,16 +188,21 @@ Set auto update to notify and defer. The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog. -![mdm device update management screenshot3.](images/deviceupdatescreenshot3.png) +:::image type="content" source="images/deviceupdatescreenshot3.png" alt-text="mdm device update management screenshot3."::: -![mdm device update management screenshot4](images/deviceupdatescreenshot4.png) +:::image type="content" source="images/deviceupdatescreenshot4.png" alt-text="mdm device update management screenshot4"::: -![mdm device update management screenshot5](images/deviceupdatescreenshot5.png) +:::image type="content" source="images/deviceupdatescreenshot5.png" alt-text="mdm device update management screenshot5"::: -![mdm device update management screenshot6](images/deviceupdatescreenshot6.png) +:::image type="content" source="images/deviceupdatescreenshot6.png" alt-text="mdm device update management screenshot6"::: -![mdm device update management screenshot7](images/deviceupdatescreenshot7.png) +:::image type="content" source="images/deviceupdatescreenshot7.png" alt-text="mdm device update management screenshot7"::: -![mdm device update management screenshot8](images/deviceupdatescreenshot8.png) +:::image type="content" source="images/deviceupdatescreenshot8.png" alt-text="mdm device update management screenshot8"::: -![mdm device update management screenshot9](images/deviceupdatescreenshot9.png) +:::image type="content" source="images/deviceupdatescreenshot9.png" alt-text="mdm device update management screenshot9"::: + +## Related articles + +- [Policy CSP - Update](mdm/policy-csp-update.md) +- [Policy configuration service provider](mdm/policy-configuration-service-provider.md) diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md index 371357b658..6e4d3f8d8c 100644 --- a/windows/client-management/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md @@ -1,41 +1,31 @@ --- title: Disconnecting from the management infrastructure (unenrollment) description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server. -MS-HAID: - - 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_' - - 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/13/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Disconnecting from the management infrastructure (unenrollment) -The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account. -The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they’ve left the company or because the device is regularly failing to comply with the organization’s security settings policy. +The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account. +The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they've left the company or because the device is regularly failing to comply with the organization's security settings policy. During disconnection, the client executes the following tasks: -- Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well. -- Removes certificates that are configured by MDM server. -- Ceases enforcement of the settings policies applied by the management infrastructure. -- Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure. -- Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort. - - -## In this topic - -- [User-initiated disconnection](#user-initiated-disconnection) -- [Server-initiated disconnection](#server-initiated-disconnection) -- [Unenrollment from Work Access settings page](#unenrollment-from-work-access-settings-page) -- [IT admin–requested disconnection](#it-admin-requested-disconnection) -- [Unenrollment from Azure Active Directory Join](#dataloss) - +- Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well. +- Removes certificates that are configured by MDM server. +- Ceases enforcement of the settings policies applied by the management infrastructure. +- Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure. +- Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort. ## User-initiated disconnection @@ -44,16 +34,15 @@ In Windows, after the user confirms the account deletion command and before the This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. > [!NOTE] -> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). +> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). -  The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**. After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DM client starts a DM session, including a user unenroll generic alert in the first package that it sends to the server. The following sample shows an OMA DM first package that contains a generic alert message. For more information on WP OMA DM support, see the [OMA DM protocol support](oma-dm-protocol-support.md) topic. -``` +```xml 1.2 @@ -100,10 +89,9 @@ The following sample shows an OMA DM first package that contains a generic alert After the previous package is sent, the unenrollment process begins. - ## Server-initiated disconnection -When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server will not get a response for the unenrollment, instead a generic alert notification is sent with messageid=1. +When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server will not get a response for the unenrollment, instead a generic alert notification is sent with `messageid=1`. ```xml @@ -119,41 +107,29 @@ When the server initiates disconnection, all undergoing sessions for the enrollm ``` - - ## Unenrollment from Work Access settings page If the user is enrolled into MDM using an Azure Active Directory (AAD Join or by adding a Microsoft work account), the MDM account will show up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the Azure AD association to the device. You can only use the Work Access page to unenroll under the following conditions: -- Enrollment was done using bulk enrollment. -- Enrollment was created using the Work Access page. +- Enrollment was done using bulk enrollment. +- Enrollment was created using the Work Access page. - - ## Unenrollment from Azure Active Directory Join When a user is enrolled into MDM through Azure Active Directory Join and later, the enrollment disconnects, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. ![aadj unenerollment.](images/azure-ad-unenrollment.png) -During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state. +During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporate devices in un-managed state. -Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation. +Before remotely un-enrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation. In mobile devices, remote unenrollment for Azure Active Directory Joined devices will fail. To remove corporate content from these devices, we recommend you remotely wipe the device. - -## IT admin–requested disconnection +## IT admin-requested disconnection -The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service provider’s Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic. +The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service provider's Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic. When the disconnection is completed, the user is notified that the device has been disconnected from enterprise management. - -  - - - - - diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index c3e140606c..1aecb97d90 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -43,7 +43,7 @@ "ms.technology": "itpro-manage", "audience": "ITPro", "ms.topic": "article", - "manager": "dansimp", + "manager": "aaroncz", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", @@ -55,20 +55,26 @@ }, "titleSuffix": "Windows Client Management", "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", "jborsecnik", "tiburd", "garycentric", - "beccarobins" + "beccarobins", + "american-dipper", + "angelamotherofdragons", + "v-stsavell", + "stacyrch140" ], - "searchScope": ["Windows 10"] + "searchScope": [ + "Windows 10" + ] }, "fileMetadata": {}, "template": [], "dest": "win-client-management", "markdownEngineName": "markdig" } -} +} \ No newline at end of file diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md index 67353c881b..c60b1439b5 100644 --- a/windows/client-management/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md @@ -10,16 +10,17 @@ ms.localizationpriority: medium ms.date: 11/01/2017 ms.reviewer: manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Enable ADMX policies in MDM - -Here's how to configure Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). - -Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](mdm/policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](mdm/policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy. +Starting in Windows 10, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](mdm/policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](mdm/policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy. Summary of steps to enable a policy: + - Find the policy from the list ADMX policies. - Find the Group Policy related information from the MDM policy description. - Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy. @@ -27,21 +28,18 @@ Summary of steps to enable a policy: See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX policies using Microsoft Intune](/archive/blogs/senthilkumar/intune-deploying-admx-backed-policies-using-microsoft-intune) for a walk-through using Intune. - - - ## Enable a policy > [!NOTE] > See [Understanding ADMX policies in Policy CSP](understanding-admx-backed-policies.md). -1. Find the policy from the list [ADMX policies](mdm/policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description. +1. Find the policy from the list [ADMX policies](mdm/policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description. - GP Friendly name - GP name - GP ADMX file name - GP path -2. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc +1. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc 1. Click **Start**, then in the text box type **gpedit**. @@ -61,7 +59,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ![Enable App-V client.](images/admx-appv-enableapp-vclient.png) -3. Create the SyncML to enable the policy that doesn't require any parameter. +1. Create the SyncML to enable the policy that doesn't require any parameter. In this example, you configure **Enable App-V Client** to **Enabled**. @@ -89,10 +87,8 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ``` - ## Enable a policy that requires parameters - 1. Create the SyncML to enable the policy that requires parameters. In this example, the policy is in **Administrative Templates > System > App-V > Publishing**. @@ -103,23 +99,22 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ![Enable publishing server 2 settings.](images/admx-app-v-enablepublishingserver2settings.png) - 2. Find the variable names of the parameters in the ADMX file. + 1. Find the variable names of the parameters in the ADMX file. You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-csp-appvirtualization.md#publishingallowserver2). ![Publishing server 2 policy description.](images/admx-appv-policy-description.png) - 3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the ADMX files) and open appv.admx. + 1. Navigate to **C:\Windows\PolicyDefinitions** (default location of the ADMX files) and open appv.admx. - 4. Search for GP name **Publishing_Server2_policy**. + 1. Search for GP name **Publishing_Server2_policy**. - - 5. Under **policy name="Publishing_Server2_Policy"** you can see the \ listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor. + 1. Under **policy name="Publishing_Server2_Policy"** you can see the \ listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor. Here's the snippet from appv.admx: ```xml - + @@ -206,7 +201,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ``` - 6. From the **\** tag, copy all of the *text id* and *enum id* and create an XML with *data id* and *value* fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor. + 1. From the **\** tag, copy all of the *text id* and *enum id* and create an XML with *data id* and *value* fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor. Here's the example XML for Publishing_Server2_Policy: @@ -223,7 +218,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ``` - 7. Create the SyncML to enable the policy. Payload contains \ and name/value pairs. + 1. Create the SyncML to enable the policy. Payload contains \ and name/value pairs. Here's the example for **AppVirtualization/PublishingAllowServer2**: @@ -263,7 +258,6 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ``` - ## Disable a policy The \ payload is \. Here is an example to disable AppVirtualization/PublishingAllowServer2. diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index 8bffb182d7..fc976f6277 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -1,322 +1,146 @@ --- -title: Enroll a Windows 10 device automatically using Group Policy +title: Enroll a Windows device automatically using Group Policy description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 04/30/2022 +ms.date: 04/13/2023 ms.reviewer: manager: aaroncz ms.collection: - - highpri - - tier2 +- highpri +- tier2 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Enroll a Windows 10 device automatically using Group Policy +# Enroll a Windows device automatically using Group Policy -**Applies to:** - -- Windows 11 -- Windows 10 - -Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices. +You can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices. The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account. -Requirements: -- Active Directory-joined PC running Windows 10, version 1709 or later -- The enterprise has configured a mobile device management (MDM) service -- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad) -- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`) +**Requirements**: + +- The Active Directory joined device must be running a [supported version of Windows](/windows/release-health/supported-versions-windows-client). +- The enterprise has configured a Mobile Device Management (MDM) service. +- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad). +- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`). - The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. For more information, see [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan). > [!TIP] > For more information, see the following topics: +> > - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) > - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) > - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md) -The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD–registered. +The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD-registered. > [!NOTE] > In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. -In Windows 10, version 1709 or later, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM. Since Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins). +- Starting in Windows 10, version 1709, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM. +- Starting in Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins). For this policy to work, you must verify that the MDM service provider allows Group Policy initiated MDM enrollment for domain-joined devices. -## Verify auto-enrollment requirements and settings - -To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. -The following steps demonstrate required settings using the Intune service: - -1. Verify that the user who is going to enroll the device has a valid [Intune license](/mem/intune/fundamentals/licenses). - - :::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png"::: - -2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). - - ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png) - - > [!IMPORTANT] - > For bring-your-own devices (BYOD devices), the Mobile Application Management (MAM) user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. - > - > For corporate-owned devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. - -3. Verify that the device OS version is Windows 10, version 1709 or later. - -4. Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. - - You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**. - - ![Auto-enrollment device status result.](images/auto-enrollment-device-status-result.png) - - Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**. - - ![Auto-enrollment Azure AD prt verification.](images/auto-enrollment-azureadprt-verification.png) - - This information can also be found on the Azure AD device list. - - ![Azure AD device list.](images/azure-ad-device-list.png) - -5. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc - - ![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png) - -6. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**. - - :::image type="content" alt-text="Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png"::: - -7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. - -You may contact your domain administrators to verify if the group policy has been deployed successfully. - -8. Verify that the device isn't enrolled with the old Intune client used on the Intune Silverlight Portal (the Intune portal used before the Azure portal). - -9. Verify that Microsoft Intune should allow enrollment of Windows devices. - - :::image type="content" alt-text="Enrollment of Windows devices." source="images/auto-enrollment-enrollment-of-windows-devices.png" lightbox="images/auto-enrollment-enrollment-of-windows-devices.png"::: - -## Configure the auto-enrollment Group Policy for a single PC - -This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices). - -Requirements: -- AD-joined PC running Windows 10, version 1709 or later -- Enterprise has MDM service already configured -- Enterprise AD must be registered with Azure AD - -1. Run `GPEdit.msc`. Choose **Start**, then in the text box type `gpedit`. - - ![GPEdit desktop app search result.](images/autoenrollment-gpedit.png) - -2. Under **Best match**, select **Edit group policy** to launch it. - -3. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**. - - :::image type="content" alt-text="MDM policies." source="images/autoenrollment-mdm-policies.png" lightbox="images/autoenrollment-mdm-policies.png"::: - -4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the **Selected Credential Type to use**. - - :::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png"::: - -5. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**. - - > [!NOTE] - > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. The default behavior for older releases is to revert to **User Credential**. - > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop). - - When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called "Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory." - - To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). - - If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot. - - ![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png) - - > [!Tip] - > You can avoid this behavior by using Conditional Access Policies in Azure AD. - Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview). - -6. To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account. - -7. Select **Info** to see the MDM enrollment information. - - ![Work School Settings.](images/autoenrollment-settings-work-school.png) - - If you don't see the **Info** button or the enrollment information, enrollment might have failed. Check the status in [Task Scheduler app](#task-scheduler-app). - - -### Task Scheduler app - -1. Select **Start**, then in the text box type `task scheduler`. - - ![Task Scheduler search result.](images/autoenrollment-task-schedulerapp.png) - -2. Under **Best match**, select **Task Scheduler** to launch it. - -3. In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**. - - :::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png"::: - - To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). You can see the logs in the **History** tab. - - If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy. - - > [!NOTE] - > The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies. - ## Configure the auto-enrollment for a group of devices -Requirements: -- AD-joined PC running Windows 10, version 1709 or later -- Enterprise has MDM service already configured (with Intune or a third-party service provider) -- Enterprise AD must be integrated with Azure AD. -- Ensure that PCs belong to same computer group. +To configure auto-enrollment using a group policy, use the following steps: -> [!IMPORTANT] -> If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible. +1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. +1. Create a Security Group for the PCs. +1. Link the GPO. +1. Filter using Security Groups. -1. Download: +If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803 or later installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible. - - 1803 --> [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) +1. Download the administrative templates for the desired version: - - 1809 --> [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) + - [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) + - [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) + - [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) + - [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591) + - [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) + - [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) + - [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124) + - [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) + - [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677) + - [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593) - - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) +1. Install the package on the Domain Controller. - - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591) +1. Navigate to `C:\Program Files (x86)\Microsoft Group Policy`, and locate the appropriate sub-directory depending on the installed version. - - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) - - - 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) - - - 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124) - - - 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) - - - 22H2 --> [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677) - - - 22H2 --> [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593) - -2. Install the package on the Domain Controller. - -3. Navigate, depending on the version to the folder: - - - 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2** - - - 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** - - - 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** - - - 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)** - - - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)** - - - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)** - - - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)** - - - 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update V2 (21H2)** - - - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2022 Update (22H2)** - - - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)** - -4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`. - -5. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`. +1. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`. If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain. -6. Wait for the SYSVOL DFSR replication to be completed for the policy to be available. +1. Wait for the SYSVOL DFSR replication to be completed for the policy to be available. -This procedure will work for any future version as well. +## Configure the auto-enrollment Group Policy for a single PC -1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. +This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. -2. Create a Security Group for the PCs. +1. Run `GPEdit.msc`. Choose **Start**, then in the text box type `gpedit`. -3. Link the GPO. +1. Under **Best match**, select **Edit group policy** to launch it. -4. Filter using Security Groups. +1. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**. -## Troubleshoot auto-enrollment of devices +1. Double-click **Enable automatic MDM enrollment using default Azure AD credentials**. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**. -Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. + :::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png"::: -To collect Event Viewer logs: + > [!NOTE] + > In Windows 10, version 1903 and later, the MDM.admx file was updated to include the **Device Credential** option to select which credential is used to enroll the device. The default behavior for older releases is to revert to **User Credential**. + > + > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop). -1. Open Event Viewer. +When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). -2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-Diagnostic-Provider** > **Admin**. +If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot. - > [!Tip] - > For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc). +:::image type="content" source="images/autoenrollment-2-factor-auth.png" alt-text="Screenshot of Two-factor authentication notification."::: -3. Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully: +> [!TIP] +> You can avoid this behavior by using Conditional Access Policies in Azure AD. Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview). - :::image type="content" alt-text="Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png" lightbox="images/auto-enrollment-troubleshooting-event-id-75.png"::: +## Verify enrollment - If you can't find event ID 75 in the logs, it indicates that the auto-enrollment failed. This failure can happen because of the following reasons: +To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account.Select **Info** to see the MDM enrollment information. - - The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here's an example screenshot that shows that the auto-enrollment failed: +:::image type="content" source="images/autoenrollment-settings-work-school.png" alt-text="Screenshot of Work School Settings."::: - :::image type="content" alt-text="Event ID 76." source="images/auto-enrollment-troubleshooting-event-id-76.png" lightbox="images/auto-enrollment-troubleshooting-event-id-76.png"::: +> [!NOTE] +> If you don't see the **Info** button or the enrollment information, enrollment might have failed. Check the status in [Task Scheduler app](#task-scheduler-app) and see [Diagnose MDM enrollment](./mdm-diagnose-enrollment.md). - To troubleshoot, check the error code that appears in the event. For more information, see [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors). +## Task Scheduler app - - The auto-enrollment didn't trigger at all. In this case, you'll not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section. +Select **Start**, then in the text box type `task scheduler`. Under **Best match**, select **Task Scheduler** to launch it. - The auto-enrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot: +In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**. - :::image type="content" alt-text="Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png"::: +:::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png"::: - > [!Note] - > This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task. +To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. You can see the logs in the **History** tab. - This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: - **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Azure Active Directory is triggered by event ID 107. +The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy. - :::image type="content" alt-text="Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png"::: +> [!NOTE] +> The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies. - When the task is completed, a new event ID 102 is logged. - - :::image type="content" alt-text="Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png"::: - - The task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It doesn't indicate the success or failure of auto-enrollment. - - If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Azure AD is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required. - One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: - - :::image type="content" alt-text="Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png"::: - - By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs** > **Microsoft** > **Windows** > **Task Scheduler** > **Operational** event log file under event ID 7016. - - A resolution to this issue is to remove the registry key manually. If you don't know which registry key to remove, go for the key that displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: - - :::image type="content" alt-text="Manually deleted entries." source="images/auto-enrollment-activation-verification-less-entries.png" lightbox="images/auto-enrollment-activation-verification-less-entries.png"::: - -### Related topics +## Related topics - [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) - [Create and Edit a Group Policy Object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754740(v=ws.11)) - [Link a Group Policy Object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732979(v=ws.11)) - [Filter Using Security Groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc752992(v=ws.11)) - [Enforce a Group Policy Object Link](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753909(v=ws.11)) -- [Group Policy Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) - [Getting started with Cloud Native Windows Endpoints](/mem/cloud-native-windows-endpoints) -- [A Framework for Windows endpoint management transformation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/a-framework-for-windows-endpoint-management-transformation/ba-p/2460684) -- [Success with remote Windows Autopilot and Hybrid Azure Active Director join](https://techcommunity.microsoft.com/t5/intune-customer-success/success-with-remote-windows-autopilot-and-hybrid-azure-active/ba-p/2749353) - - -### Useful Links -- [Windows 10 Administrative Templates for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) -- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124) -- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591) -- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495) -- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md index 6646d4df78..197087b7dc 100644 --- a/windows/client-management/enterprise-app-management.md +++ b/windows/client-management/enterprise-app-management.md @@ -1,170 +1,51 @@ --- title: Enterprise app management -description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows. -ms.reviewer: +description: This article covers one of the key mobile device management (MDM) features for managing the lifecycle of apps across Windows devices. +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 10/04/2021 +ms.date: 04/13/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Enterprise app management -This article covers one of the key mobile device management (MDM) features in Windows 10. It manages the lifecycle of apps across all of Windows. It's the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps. +This article will discuss one of the key features of Windows' Mobile Device Management (MDM) capabilities: the ability to manage apps' lifecycle on all Windows devices. This includes both Store and non-Store apps, which can be managed natively through MDM. + +By using Windows MDM to manage app lifecycles, administrators can deploy and manage updates, remove outdated or unused apps, and ensure that all devices have the necessary apps installed to meet the organization's needs. This feature streamlines the app management process and saves time and effort for IT professionals. ## Application management goals -Windows 10 offers the ability for management servers to: +Windows offers the ability for management servers to: -- Install apps directly from the Microsoft Store for Business -- Deploy offline Store apps and licenses -- Deploy line-of-business (LOB) apps (non-Store apps) -- Inventory all apps for a user (Store and non-Store apps) -- Inventory all apps for a device (Store and non-Store apps) -- Uninstall all apps for a user (Store and non-Store apps) -- Provision apps so they're installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) -- Remove the provisioned app on the device running Windows 10 for desktop editions +- Install apps directly from the Microsoft Store for Business +- Deploy offline Store apps and licenses +- Deploy line-of-business (LOB) apps (non-Store apps) +- Inventory all apps for a user (Store and non-Store apps) +- Inventory all apps for a device (Store and non-Store apps) +- Uninstall all apps for a user (Store and non-Store apps) +- Provision apps so they're installed for all users of a device running Windows desktop editions (Home, Pro, Enterprise, and Education) +- Remove the provisioned app on the device running Windows desktop editions -## Inventory your apps +## Inventory apps -Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](mdm/enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications: +Windows lets you inventory all apps deployed to a user, and inventory all apps for all users of a Windows device. The [EnterpriseModernAppManagement](mdm/enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications: -- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business -- nonStore - Apps that weren't acquired from the Microsoft Store. -- System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried. +- **Store**: Apps that have been acquired from the Microsoft Store, either directly or delivered with the enterprise from the Store for Business. +- **nonStore**: Apps that were not acquired from the Microsoft Store. +- **System**: Apps that are part of the operating system and cannot be uninstalled. This classification is read-only and can only be inventoried. -These classifications are represented as nodes in the EnterpriseModernAppManagement CSP. +Each app is identified by one package family name and one or more package full names, and the apps are grouped based on their origin. The EnterpriseModernAppManagement CSP displays these classifications as nodes. -The following information shows the EnterpriseModernAppManagement CSP in a tree format: +Inventory can be run recursively at any level from the AppManagement node through the package full name. You can also choose to inventory specific attributes only. The inventory is specific to the package full name and lists bundled and resource packs as applicable under the package family name. -```console -./Device/Vendor/MSFT -or -./User/Vendor/MSFT -EnterpriseAppManagement -----AppManagement ---------UpdateScan ---------LastScanError ---------AppInventoryResults ---------AppInventoryQuery ---------RemovePackage ---------AppStore -----------PackageFamilyName -------------PackageFullName ---------------Name ---------------Version ---------------Publisher ---------------Architecture ---------------InstallLocation ---------------IsFramework ---------------IsBundle ---------------InstallDate ---------------ResourceID ---------------RequiresReinstall ---------------PackageStatus ---------------Users ---------------IsProvisioned ---------------IsStub -------------DoNotUpdate -------------AppSettingPolicy ---------------SettingValue -------------MaintainProcessorArchitectureOnUpdate -------------NonRemovable -----------ReleaseManagement -------------ReleaseManagementKey ---------------ChannelId ---------------ReleaseId ---------------EffectiveRelease ------------------ChannelId ------------------ReleaseId ---------nonStore -----------PackageFamilyName -------------PackageFullName ---------------Name ---------------Version ---------------Publisher ---------------Architecture ---------------InstallLocation ---------------IsFramework ---------------IsBundle ---------------InstallDate ---------------ResourceID ---------------RequiresReinstall ---------------PackageStatus ---------------Users ---------------IsProvisioned ---------------IsStub -------------DoNotUpdate -------------AppSettingPolicy ---------------SettingValue -------------MaintainProcessorArchitectureOnUpdate -------------NonRemoveable ---------System -----------PackageFamilyName -------------PackageFullName ---------------Name ---------------Version ---------------Publisher ---------------Architecture ---------------InstallLocation ---------------IsFramework ---------------IsBundle ---------------InstallDate ---------------ResourceID ---------------RequiresReinstall ---------------PackageStatus ---------------Users ---------------IsProvisioned ---------------IsStub -------------DoNotUpdate -------------AppSettingPolicy ---------------SettingValue -------------MaintainProcessorArchitectureOnUpdate -------------NonRemoveable -----AppInstallation ---------PackageFamilyName -----------StoreInstall -----------HostedInstall -----------LastError -----------LastErrorDesc -----------Status -----------ProgressStatus -----AppLicenses ---------StoreLicenses -----------LicenseID -------------LicenseCategory -------------LicenseUsage -------------RequesterID -------------AddLicense -------------GetLicenseFromStore -``` - -Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System). - -Inventory can run recursively at any level from the AppManagement node through the package full name. Inventory can also run only for a specific inventory attribute. - -Inventory is specific to the package full name and lists bundled packs and resources packs as applicable under the package family name. - -Here are the nodes for each package full name: - -- Name -- Version -- Publisher -- Architecture -- InstallLocation -- IsFramework -- IsBundle -- InstallDate -- ResourceID -- RequiresReinstall -- PackageStatus -- Users -- IsProvisioned - -For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md). +For more information on each node, refer to the detailed descriptions provided in the [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md). ### App inventory @@ -172,126 +53,121 @@ You can use the EnterpriseModernAppManagement CSP to query for all apps installe Doing a full inventory of a device can be resource-intensive based on the hardware and number of apps that are installed. The data returned can also be large. You may want to chunk these requests to reduce the impact to clients and network traffic. -Here's an example of a query for all apps on the device. +- Example query for all apps on the device. -```xml - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement?list=StructData - - - -``` + ```xml + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement?list=StructData + + + + ``` -Here's an example of a query for a specific app for a user. +- Example query for a specific app for a user. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}?list=StructData - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}?list=StructData + + + + ``` ### Store license inventory You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses, event if they were installed via MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device. -Here are the nodes for each license ID: - -- LicenseCategory -- LicenseUsage -- RequestedID - For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md). > [!NOTE] > The LicenseID in the CSP is the content ID for the license. -Here's an example of a query for all app licenses on a device. +- Here's an example of a query for all app licenses on a device. -```xml - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses?list=StructData - - - -``` + ```xml + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses?list=StructData + + + + ``` -Here's an example of a query for all app licenses for a user. +- Here's an example of a query for all app licenses for a user. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id}?list=StructData - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id}?list=StructData + + + + ``` ## Enable the device to install non-Store apps -There are two basic types of apps you can deploy: Store apps and enterprise signed apps. To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment. +There are two basic types of apps you can deploy: + +- Store apps. +- Enterprise signed apps. + +To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment. ### Unlock the device for non-Store apps -To deploy apps that aren't from the Microsoft Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device if there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user). +To deploy apps that aren't from the Microsoft Store, you must configure the [ApplicationManagement/AllowAllTrustedApps](mdm/policy-csp-applicationmanagement.md) policy. This policy allows the installation of non-Store apps on the device if there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user). -The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device, or a root certificate in the Trusted Root of the device. The policy isn't configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device. +The AllowAllTrustedApps policy enables the installation of apps that are trusted by a certificate in the Trusted People on the device, or a root certificate in the Trusted Root of the device. The policy isn't configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device. -For more information about the AllowAllTrustedApps policy, see [Policy CSP](mdm/policy-configuration-service-provider.md). - -Here are some examples. +Here's an example: ```xml - 1 - - +1 + + ./Vendor/MSFT/Policy/Result/ApplicationManagement/AllowAllTrustedApps?list=StructData - - + + - 2 - - +2 + + ./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAllTrustedApps - - + + int text/plain - - 1 - + + 1 + ``` ### Unlock the device for developer mode -Development of apps on Windows 10 no longer requires a special license. You can enable debugging and deployment of non-packaged apps using ApplicationManagement/AllowDeveloperUnlock policy in Policy CSP. +Development of apps on Windows devices no longer requires a special license. You can enable debugging and deployment of non-packaged apps using [ApplicationManagement/AllowDeveloperUnlock](mdm/policy-csp-applicationmanagement.md) policy in Policy CSP. AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock isn't configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device. -Deployment of apps to Windows 10 for desktop editions requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. - -For more information about the AllowDeveloperUnlock policy, see [Policy CSP](mdm/policy-configuration-service-provider.md). +Deployment of apps to Windows devices requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. Here's an example. @@ -321,7 +197,7 @@ Here's an example. ``` -## Install your apps +## Install apps You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store. Or, they're installed from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md) to install apps. @@ -333,47 +209,46 @@ If you purchased an app from the Store for Business and the app is specified for Here are the requirements for this scenario: -- The app is assigned to a user Azure Active Directory (Azure AD) identity in the Store for Business. You can assign directly in the Store for Business or through a management server. -- The device requires connectivity to the Microsoft Store. -- Microsoft Store services must be enabled on the device. The UI for the Microsoft Store can be disabled by the enterprise admin. -- The user must be signed in with their Azure AD identity. +- The app is assigned to a user Azure Active Directory (Azure AD) identity in the Store for Business. You can assign directly in the Store for Business or through a management server. +- The device requires connectivity to the Microsoft Store. +- Microsoft Store services must be enabled on the device. The UI for the Microsoft Store can be disabled by the enterprise admin. +- The user must be signed in with their Azure AD identity. -Here are some examples. +Here's an example: ```xml - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/StoreInstall - - - xml - - - + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/StoreInstall + + + xml + + + + + ``` Here are the changes from the previous release: -1. The "{CatID}" reference should be updated to "{ProductID}". This value is acquired as a part of the Store for Business management tool. -2. The value for flags can be "0" or "1" - - When using "0", the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1", the management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available. - -3. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync. +1. The `{CatID}` reference should be updated to `{ProductID}`. This value is acquired as a part of the Store for Business management tool. +1. The value for flags can be 0 or 1. + - When using "0", the management tool calls back to the Store for Business sync to assign a user a seat of an application. + - When using "1", the management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available. +1. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync. ### Deploy an offline license to a user -If you purchased an app from the Store for Business, the app license must be deployed to the device. +If you purchased an app from the Store for Business, the app license must be deployed to the device. The app license only needs to be deployed as part of the initial installation of the app. During an update, only the app is deployed to the user. -The app license only needs to be deployed as part of the initial installation of the app. During an update, only the app is deployed to the user. +In the SyncML, you need to specify the following information in the `Exec` command: -In the SyncML, you need to specify the following information in the Exec command: - -- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business. -- License Content - This content is specified in the data section. The License Content is the Base64 encoded blob of the license. +- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business. +- License Content - This content is specified in the data section. The License Content is the Base64 encoded blob of the license. Here's an example of an offline license installation. @@ -392,7 +267,6 @@ Here's an example of an offline license installation. ``` - ### Deploy apps to a user from a hosted location If you purchased an app from the Store for Business and the app is specified for an offline license or the app is a non-Store app, the app must be deployed from a hosted location. @@ -409,106 +283,106 @@ Here are the requirements for this scenario: The Add command for the package family name is required to ensure proper removal of the app at unenrollment. -Here's an example of a line-of-business app installation. +- Here's an example of a line-of-business app installation. -```xml - - - 0 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName} - - - - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall - - - xml - - - - -``` + ```xml + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName} + + + + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + ``` -Here's an example of an app installation with dependencies. +- Here's an example of an app installation with dependencies. -```xml - - - 0 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName - - - - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall - - - xml - - - - - - - - - - - -``` + ```xml + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName + + + + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + + + + + + + + ``` -Here's an example of an app installation with dependencies and optional packages. +- Here's an example of an app installation with dependencies and optional packages. -```xml - - - 0 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName - - - - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall - - - xml - - - - - - - - - - - - - - - -``` + ```xml + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName + + + + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + + + + + + + + + + + + ``` ### Provision apps for all users of a device @@ -528,124 +402,116 @@ To provision app for all users of a device from a hosted location, the managemen > [!NOTE] > When you remove the provisioned app, it will not remove it from the users that already installed the app. -Here's an example of app installation. +- Here's an example of app installation: -> [!NOTE] -> This is only supported in Windows 10 for desktop editions. + ```xml + + + 0 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName + + + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + ``` -```xml - - - 0 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName - - - - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall - - - xml - - - - -``` + The HostedInstall Exec command contains a Data node that requires an embedded XML. Here are the requirements for the data XML: -The HostedInstall Exec command contains a Data node that requires an embedded XML. Here are the requirements for the data XML: + - Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPS location. + - Dependencies can be specified if required to be installed with the package. This is optional. -- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPS location. -- Dependencies can be specified if required to be installed with the package. This is optional. + The DeploymentOptions parameter is only available in the user context. -The DeploymentOptions parameter is only available in the user context. +- Here's an example of app installation with dependencies. -Here's an example of app installation with dependencies. - -> [!NOTE] -> This is only supported in Windows 10 for desktop editions. - -```xml - - - 0 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName - - - - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall - - - xml - - - - - - - - - - - -``` + ```xml + + + 0 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName + + + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + + + + + + + + ``` ### Get status of app installations When an app installation is completed, a Windows notification is sent. You can also query the status of using the AppInstallation node. Here's the list of information you can get back in the query: -- Status - indicates the status of app installation. - - NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed. - - INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated. - - FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. - - INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear. -- LastError - The last error reported by the app deployment server. -- LastErrorDescription - Describes the last error reported by the app deployment server. -- Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress. +- Status - indicates the status of app installation. + - NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed. + - INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated. + - FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. + - INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear. +- LastError - The last error reported by the app deployment server. +- LastErrorDescription - Describes the last error reported by the app deployment server. +- Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress. Status isn't available for provisioning and only used for user-based installations. For provisioning, the value is always 0. - Status isn't available for provisioning and only used for user-based installations. For provisioning, the value is always 0. +When an app is installed successfully, the node is cleaned up and no longer present. The status of the app can be reported under the [AppManagement node](mdm/enterprisemodernappmanagement-csp.md#deviceappmanagement). -When an app is installed successfully, the node is cleaned up and no longer present. The status of the app can be reported under the AppManagement node. +- Here's an example of a query for a specific app installation. -Here's an example of a query for a specific app installation. + ```xml + + + 2 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}?list=StructData + + + + ``` -```xml - - - 2 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}?list=StructData - - - -``` +- Here's an example of a query for all app installations. -Here's an example of a query for all app installations. - -```xml - - - 2 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation?list=StructData - - - -``` + ```xml + + + 2 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation?list=StructData + + + + ``` ### Alert for installation completion @@ -670,51 +536,50 @@ Here's an example of an alert. ``` -For user-based installation, use the ./User path and for provisioning of apps, use the ./Device path. +For user-based installation, use the `./User` path and for provisioning of apps, use the `./Device` path. The Data field value of 0 (zero) indicates success. Otherwise it's an error code. If there's a failure, you can get more details from the AppInstallation node. > [!NOTE] -> At this time, the alert for Store app installation isn't yet available. - +> At this time, the alert for Store app installation isn't available. ## Uninstall your apps -You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes: +You can uninstall apps from users from Windows devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes: -- AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business. -- nonStore - These apps that weren't acquired from the Microsoft Store. -- System - These apps are part of the OS. You can't uninstall these apps. +- AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business. +- nonStore - These apps that weren't acquired from the Microsoft Store. +- System - These apps are part of the OS. You can't uninstall these apps. To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family name and package full name. -Here's an example for uninstalling all versions of an app for a user. + Here's an example for uninstalling all versions of an app for a user. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName} - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName} + + + + ``` -Here's an example for uninstalling a specific version of the app for a user. +-Here's an example for uninstalling a specific version of the app for a user. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} + + + + ``` ### Removed provisioned apps from a device @@ -723,70 +588,69 @@ You can remove provisioned apps from a device for a specific version, or for all > [!NOTE] > You can only remove an app that has an inventory value IsProvisioned = 1. - Removing provisioned app occurs in the device context. -Here's an example for removing a provisioned app from a device. +- Here's an example for removing a provisioned app from a device. -```xml - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName} - - - -``` + ```xml + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName} + + + + ``` -Here's an example for removing a specific version of a provisioned app from a device: +- Here's an example for removing a specific version of a provisioned app from a device: -```xml - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} - - - -``` + ```xml + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} + + + + ``` ### Remove a store app license You can remove app licenses from a device per app based on the content ID. -Here's an example for removing an app license for a user. +- Here's an example for removing an app license for a user. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id} - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id} + + + + ``` -Here's an example for removing an app license for a provisioned package (device context). +- Here's an example for removing an app license for a provisioned package (device context). -```xml - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id} - - - -``` + ```xml + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id} + + + + ``` -### Alert for app uninstallation +### Alert for app uninstall Uninstallation of an app can take some time complete. So, the uninstall is run asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success. @@ -818,33 +682,33 @@ Apps installed on a device can be updated using the management server. Apps can To update an app from Microsoft Store, the device requires contact with the store services. -Here's an example of an update scan. +- Here's an example of an update scan. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/UpdateScan - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/UpdateScan + + + + ``` -Here's an example of a status check. +- Here's an example of a status check. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/LastScanError - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/LastScanError + + + + ``` ### Update apps from a hosted location @@ -863,7 +727,7 @@ Turning off updates only applies to updates from the Microsoft Store at the devi Here's an example. ```xml - + 1 @@ -889,9 +753,9 @@ The Universal Windows app can share application data between the users of the de > [!NOTE] > This is only applicable to multi-user devices. -The AllowSharedUserAppData policy in [Policy CSP](mdm/policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API. +The [ApplicationManagement/AllowSharedUserAppData](mdm/policy-csp-applicationmanagement.md) policy enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API. -If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there's any shared data, and /Remove-SharedAppxData to remove it). +If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((`/Get-ProvisionedAppxPackage` to detect if there's any shared data, and `/Remove-SharedAppxData` to remove it). The valid values are 0 (off, default value) and 1 (on). diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md index 5acabf7ab8..59197ad641 100644 --- a/windows/client-management/esim-enterprise-management.md +++ b/windows/client-management/esim-enterprise-management.md @@ -8,15 +8,21 @@ ms.author: vinpa ms.topic: conceptual ms.technology: itpro-manage ms.date: 12/31/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # How Mobile Device Management Providers support eSIM Management on Windows + The eSIM Profile Management Solution places the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already-existing solution that customers are familiar with and use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. - If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: + +If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: + - Onboard to Azure Active Directory - Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this capability to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include: - - [HPE Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) - - [IDEMIA The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub) + - [HPE Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) + - [IDEMIA The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub) - Assess solution type that you would like to provide your customers - Batch/offline solution - IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. @@ -24,4 +30,6 @@ The eSIM Profile Management Solution places the Mobile Device Management (MDM) P - Real-time solution - MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time. - Operator is notified of the status of each eSIM profile and has visibility on which devices are being used -**Note:** End users don't notice the solution type. The choice between the two is made between the MDM and the Mobile Operator. + +> [!NOTE] +> End users don't notice the solution type. The choice between the two is made between the MDM and the Mobile Operator. diff --git a/windows/client-management/federated-authentication-device-enrollment.md b/windows/client-management/federated-authentication-device-enrollment.md index a50c18383c..7ae977249a 100644 --- a/windows/client-management/federated-authentication-device-enrollment.md +++ b/windows/client-management/federated-authentication-device-enrollment.md @@ -1,14 +1,17 @@ --- title: Federated authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using federated authentication policy. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 07/28/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Federated authentication device enrollment @@ -17,28 +20,23 @@ This section provides an example of the mobile device enrollment protocol using The `` element the discovery response message specifies web authentication broker page start URL. -For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). +For details about the Microsoft mobile device enrollment protocol for Windows, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). -## In this topic - -[Discovery service](#discovery-service) -[Enrollment policy web service](#enrollment-policy-web-service) -[Enrollment web service](#enrollment-web-service) - -For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). +> [!NOTE] +> For the list of enrollment scenarios not supported in Windows, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). ## Discovery service The discovery web service provides the configuration information necessary for a user to enroll a phone with a management service. The service is a restful web service over HTTPS (server authentication only). > [!NOTE] -> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. +> The administrator of the discovery service must create a host with the address `enterpriseenrollment..com`. -The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`. +The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain **enterpriseenrollment** to the domain of the email address, and by appending the path `/EnrollmentServer/Discovery.svc`. For example, if the email address is `sample@contoso.com`, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`. The first request is a standard HTTP GET request. -The following example shows a request via HTTP GET to the discovery server given user@contoso.com as the email address. +The following example shows a request via HTTP GET to the discovery server given `user@contoso.com` as the email address. ```http Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc @@ -70,16 +68,16 @@ Content-Type: text/html Content-Length: 0 ``` -After the device gets a response from the server, the device sends a POST request to enterpriseenrollment.*domain\_name*/EnrollmentServer/Discovery.svc. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to enterpriseenrollment.*domain\_name* to the enrollment server. +After the device gets a response from the server, the device sends a POST request to `enterpriseenrollment./EnrollmentServer/Discovery.svc`. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to `enterpriseenrollment.` enrollment server. The following logic is applied: -1. The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails. -2. If that fails, the device tries HTTP to see whether it's redirected: - - If the device isn't redirected, it prompts the user for the server address. - - If the device is redirected, it prompts the user to allow the redirect. +1. The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails. +1. If that fails, the device tries HTTP to see whether it's redirected: + - If the device isn't redirected, it prompts the user for the server address. + - If the device is redirected, it prompts the user to allow the redirect. -The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address +The following example shows a request via an HTTP POST command to the discovery web service given `user@contoso.com` as the email address ```http https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc @@ -90,64 +88,68 @@ The following example shows the discovery service request. ```xml - - - http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover - - urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 - - http://www.w3.org/2005/08/addressing/anonymous - - - https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc - - - - - - user@contoso.com - 3 - 3.0 - WindowsPhone - 10.0.0.0 - - OnPremise - Federated - - - - + xmlns:s="http://www.w3.org/2003/05/soap-envelope"> + + + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc + + + + + + user@contoso.com + 3 + + 3.0 + + WindowsPhone + + 10.0.0.0 + + OnPremise + Federated + + + + ``` The discovery response is in the XML format and includes the following fields: -- Enrollment service URL (EnrollmentServiceUrl) – Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. -- Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. -- In Windows, Federated is added as another supported value. This addition allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. +- Enrollment service URL (EnrollmentServiceUrl) - Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. +- Authentication policy (AuthPolicy) - Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. +- In Windows, Federated is added as another supported value. This addition allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. -> [!Note] +> [!NOTE] > The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message. When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call. -> [!Note] +> [!NOTE] > Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance: -> - Parse the OS version from the data sent up during the discovery request. -> - Append the OS version as a parameter in the AuthenticationServiceURL. -> - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication. +> +> - Parse the OS version from the data sent up during the discovery request. +> - Append the OS version as a parameter in the AuthenticationServiceURL. +> - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication. -A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist. +A new XML tag, **AuthenticationServiceUrl**, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist. -> [!Note] +> [!NOTE] > The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented. The following are the explicit requirements for the server. -- The ```` element must support HTTPS. -- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail. -- WP doesn’t support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device. +- The ```` element must support HTTPS. +- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail. +- WP doesn't support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device. The enrollment client issues an HTTPS request as follows: @@ -164,7 +166,7 @@ After authentication is complete, the auth server should return an HTML form doc > To make an application compatible with strict Content Security Policy, it's usually necessary to make some changes to HTML templates and client-side code, add the policy header, and test that everything works properly once the policy is deployed. ```html -HTTP/1.1 200 OK +HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 556 @@ -196,35 +198,34 @@ The following example shows a response received from the discovery web service t ```xml - - - http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse - - - d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8 - - urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 - - - - - Federated - 3.0 - - https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - - - https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - - - https://portal.manage.contoso.com/LoginRedirect.aspx - - - - + xmlns:a="http://www.w3.org/2005/08/addressing"> + + + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse + + + d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8 + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + + + + Federated + 3.0 + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + https://portal.manage.contoso.com/LoginRedirect.aspx + + + + ``` @@ -236,12 +237,12 @@ This web service implements the X.509 Certificate Enrollment Policy Protocol (MS For Federated authentication policy, the security token credential is provided in a request message using the `` element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows: -- wsse:Security: The enrollment client implements the `` element defined in \[WSS\] section 5. The `` element must be a child of the `` element. -- wsse:BinarySecurityToken: The enrollment client implements the `` element defined in \[WSS\] section 6.3. The `` element must be included as a child of the `` element in the SOAP header. +- wsse:Security: The enrollment client implements the `` element defined in \[WSS\] section 5. The `` element must be a child of the `` element. +- wsse:BinarySecurityToken: The enrollment client implements the `` element defined in \[WSS\] section 6.3. The `` element must be included as a child of the `` element in the SOAP header. As was described in the discovery response section, the inclusion of the `` element is opaque to the enrollment client, and the client doesn't interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the `` element of `` and the enterprise server. -The `` element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the `` element. +The `` element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the `` element. - wsse:BinarySecurityToken/attributes/ValueType: The `` ValueType attribute must be `http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken`. @@ -251,42 +252,39 @@ The following example is an enrollment policy request with a received security t ```xml - - - http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies - - urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 - - http://www.w3.org/2005/08/addressing/anonymous - - - https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - - - - B64EncodedSampleBinarySecurityToken - - - - - - - - - - - - + xmlns:a="http://www.w3.org/2005/08/addressing" + xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" + xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" + xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" + xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization"> + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies + + urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + + B64EncodedSampleBinarySecurityToken + + + + + + + + + + + + ``` @@ -386,7 +384,7 @@ The RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft. The RST may also specify many AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. -> [!Note] +> [!NOTE] > The policy service and the enrollment service must be on the same server; that is, they must have the same host name. The following example shows the enrollment web service request for federated authentication. @@ -474,15 +472,15 @@ The following example shows the enrollment web service request for federated aut After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR). -> [!Note] +> [!NOTE] > The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message. Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (`http://schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc`), because the token is more than an X.509 v3 certificate. The provisioning XML contains: -- The requested certificates (required) -- The DM client configuration (required) +- The requested certificates (required) +- The DM client configuration (required) The client will install the client certificate, the enterprise root certificate, and intermediate CA certificate if there's one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DM client calls back to the server. @@ -495,8 +493,8 @@ Here's a sample RSTR message and a sample of OMA client provisioning XML within The following example shows the enrollment web service response. ```xml - @@ -512,7 +510,7 @@ The following example shows the enrollment web service response. - @@ -520,7 +518,7 @@ The following example shows the enrollment web service response. - @@ -548,7 +546,7 @@ The following code shows sample provisioning XML (presented in the preceding pac - + @@ -558,7 +556,7 @@ The following code shows sample provisioning XML (presented in the preceding pac - + @@ -602,7 +600,7 @@ The following code shows sample provisioning XML (presented in the preceding pac - + @@ -614,15 +612,15 @@ The following code shows sample provisioning XML (presented in the preceding pac ``` > [!NOTE] -> -> - `` and `` elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase. -> -> - In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML. -> -> - Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document. -> -> - The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique. -> -> - Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate. -> -> - CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it. +> +> - `` and `` elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase. +> +> - In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML. +> +> - Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document. +> +> - The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique. +> +> - Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate. +> +> - CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it. diff --git a/windows/client-management/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md deleted file mode 100644 index 3f1e0ef47a..0000000000 --- a/windows/client-management/group-policies-for-enterprise-and-education-editions.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: Group Policy settings that apply only to Windows 10 Enterprise and Education Editions (Windows 10) -description: Use this topic to learn about Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education. -ms.prod: windows-client -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/14/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: troubleshooting -ms.technology: itpro-manage ---- - -# Group Policy settings that apply only to Windows 10 Enterprise and Education Editions - -**Applies to** -- Windows 10 -- Windows 11 - - -In Windows 10, version 1607, the following Group Policy settings apply only to Windows 10 Enterprise and Windows 10 Education. - -| Policy name | Policy path | Comments | -| --- | --- | --- | -| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. | -| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) | -| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) | -| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) | -| **Do not require CTRL+ALT+DEL**
combined with
**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon
and
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](/windows/configuration/set-up-a-device-for-anyone-to-use)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro.

**Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.| -| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) | -| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) | -| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | In Windows 10, version 1703, this policy setting can be applied to Windows 10 Pro. For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies) | -| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). | -| **Only display the private store within the Microsoft Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app

User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) | -| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) | - - - - diff --git a/windows/client-management/images/auto-enrollment-enrollment-of-windows-devices.png b/windows/client-management/images/auto-enrollment-enrollment-of-windows-devices.png index 5f7fb2c44b..f35f11cc5d 100644 Binary files a/windows/client-management/images/auto-enrollment-enrollment-of-windows-devices.png and b/windows/client-management/images/auto-enrollment-enrollment-of-windows-devices.png differ diff --git a/windows/client-management/images/azure-ad-device-list.png b/windows/client-management/images/azure-ad-device-list.png deleted file mode 100644 index 607c36c307..0000000000 Binary files a/windows/client-management/images/azure-ad-device-list.png and /dev/null differ diff --git a/windows/client-management/images/implement-server-side-mobile-application-management.png b/windows/client-management/images/implement-server-side-mobile-application-management.png index 88555f2d3b..822b7f7ea0 100644 Binary files a/windows/client-management/images/implement-server-side-mobile-application-management.png and b/windows/client-management/images/implement-server-side-mobile-application-management.png differ diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md index 91645ea1af..01cff16e92 100644 --- a/windows/client-management/implement-server-side-mobile-application-management.md +++ b/windows/client-management/implement-server-side-mobile-application-management.md @@ -6,15 +6,19 @@ ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 08/03/2022 +ms.date: 04/05/2023 ms.reviewer: manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- - # Support for mobile application management on Windows -The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703. +The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP). + +[!INCLUDE [Deprecate Windows Information Protection](../security/information-protection/windows-information-protection/includes/wip-deprecation.md)] ## Integration with Azure AD @@ -22,7 +26,7 @@ MAM on Windows is integrated with Azure Active Directory (Azure AD) identity ser MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices will be enrolled to MAM or MDM, depending on the user's actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. -On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**. +On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft 365 apps. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**. Regular non-admin users can enroll to MAM. @@ -34,15 +38,15 @@ To make applications WIP-aware, app developers need to include the following dat ``` syntax // Mark this binary as Allowed for WIP (EDP) purpose - MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID - BEGIN - 0x0001 - END +MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID + BEGIN + 0x0001 + END ``` ## Configuring an Azure AD tenant for MAM enrollment -MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. With Azure AD in Windows 10, version 1703, onward, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration. +MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. The same cloud-based Management MDM app in Azure AD will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration. :::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png"::: @@ -83,12 +87,12 @@ MAM on Windows supports the following configuration service providers (CSPs). Al - [AppLocker CSP](mdm/applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps. - [ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs. -- [DeviceStatus CSP](mdm/devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703). +- [DeviceStatus CSP](mdm/devicestatus-csp.md) required for Conditional Access support. - [DevInfo CSP](mdm/devinfo-csp.md). - [DMAcc CSP](mdm/dmacc-csp.md). - [DMClient CSP](mdm/dmclient-csp.md) for polling schedules configuration and MDM discovery URL. - [EnterpriseDataProtection CSP](mdm/enterprisedataprotection-csp.md) has Windows Information Protection policies. -- [Health Attestation CSP](mdm/healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703). +- [Health Attestation CSP](mdm/healthattestation-csp.md) required for Conditional Access support. - [PassportForWork CSP](mdm/passportforwork-csp.md) for Windows Hello for Business PIN management. - [Policy CSP](mdm/policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas. - [Reporting CSP](mdm/reporting-csp.md) for retrieving Windows Information Protection logs. @@ -127,13 +131,3 @@ In the process of changing MAM enrollment to MDM, MAM policies will be removed f - EDP CSP RevokeOnMDMHandoff is set to false. If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account won't be affected. - -## Skype for Business compliance with MAM - -We've updated Skype for Business to work with MAM. The following table explains Office release channels and release dates for Skype for Business compliance with the MAM feature. - -|Update channel|Primary purpose|LOB Tattoo availability|Default update channel for the products| -|--- |--- |--- |--- | -|[Current channel](/deployoffice/overview-update-channels#BKMK_CB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|March 9 2017|Visio Pro for Office 365
Project Desktop Client
Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)| -|[Deferred channel](/deployoffice/overview-update-channels#BKMK_CBB)|Provide users with new features of Office only a few times a year.|October 10 2017|Microsoft 365 Apps for enterprise| -|[First release for deferred channel](/deployoffice/overview-update-channels#BKMK_FRCBB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|June 13 2017|| diff --git a/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md b/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md deleted file mode 100644 index 57b5523dd9..0000000000 --- a/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge doesn't use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account. diff --git a/windows/client-management/includes/allow-address-bar-drop-down-shortdesc.md b/windows/client-management/includes/allow-address-bar-drop-down-shortdesc.md deleted file mode 100644 index 031d179b36..0000000000 --- a/windows/client-management/includes/allow-address-bar-drop-down-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the Configure search suggestions in Address bar policy. We recommend disabling this policy if you want to minimize network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. When you disable this policy, Microsoft Edge also disables the _Show search and site suggestions as I type_ toggle in Settings. diff --git a/windows/client-management/includes/allow-adobe-flash-shortdesc.md b/windows/client-management/includes/allow-adobe-flash-shortdesc.md deleted file mode 100644 index 45365c58bd..0000000000 --- a/windows/client-management/includes/allow-adobe-flash-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default. With this policy, you can configure Microsoft Edge to prevent Adobe Flash content from running. diff --git a/windows/client-management/includes/allow-clearing-browsing-data-on-exit-shortdesc.md b/windows/client-management/includes/allow-clearing-browsing-data-on-exit-shortdesc.md deleted file mode 100644 index 82ccb5f2ed..0000000000 --- a/windows/client-management/includes/allow-clearing-browsing-data-on-exit-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not clear the browsing data on exit by default, but users can configure the _Clear browsing data_ option in Settings. Browsing data includes information you entered in forms, passwords, and even the websites visited. With this policy, you can configure Microsoft Edge to clear the browsing data automatically each time Microsoft Edge closes. diff --git a/windows/client-management/includes/allow-configuration-updates-for-books-library-shortdesc.md b/windows/client-management/includes/allow-configuration-updates-for-books-library-shortdesc.md deleted file mode 100644 index f8b89a8e2e..0000000000 --- a/windows/client-management/includes/allow-configuration-updates-for-books-library-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge automatically updates the configuration data for the Books library. Disabling this policy prevents Microsoft Edge from updating the configuration data. If Microsoft receives feedback about the amount of data about the Books library, the data comes as a JSON file. diff --git a/windows/client-management/includes/allow-developer-tools-shortdesc.md b/windows/client-management/includes/allow-developer-tools-shortdesc.md deleted file mode 100644 index 41176ffb3b..0000000000 --- a/windows/client-management/includes/allow-developer-tools-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to use the F12 developer tools to build and debug web pages by default. With this policy, you can configure Microsoft Edge to prevent users from using the F12 developer tools. diff --git a/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md b/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md deleted file mode 100644 index 3c9d3f6b42..0000000000 --- a/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and more diagnostic data, such as usage data. diff --git a/windows/client-management/includes/allow-extensions-shortdesc.md b/windows/client-management/includes/allow-extensions-shortdesc.md deleted file mode 100644 index 8276b06760..0000000000 --- a/windows/client-management/includes/allow-extensions-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to add or personalize extensions in Microsoft Edge by default. With this policy, you can configure Microsoft to prevent users from adding or personalizing extensions. diff --git a/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md b/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md deleted file mode 100644 index 8c616dedff..0000000000 --- a/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. To use fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge. diff --git a/windows/client-management/includes/allow-inprivate-browsing-shortdesc.md b/windows/client-management/includes/allow-inprivate-browsing-shortdesc.md deleted file mode 100644 index 1340e13406..0000000000 --- a/windows/client-management/includes/allow-inprivate-browsing-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device. With this policy, you can configure Microsoft Edge to prevent InPrivate web browsing. diff --git a/windows/client-management/includes/allow-microsoft-compatibility-list-shortdesc.md b/windows/client-management/includes/allow-microsoft-compatibility-list-shortdesc.md deleted file mode 100644 index 35a86bfd85..0000000000 --- a/windows/client-management/includes/allow-microsoft-compatibility-list-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat. diff --git a/windows/client-management/includes/allow-prelaunch-shortdesc.md b/windows/client-management/includes/allow-prelaunch-shortdesc.md deleted file mode 100644 index a8437f2035..0000000000 --- a/windows/client-management/includes/allow-prelaunch-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start Microsoft Edge. You can also configure Microsoft Edge to prevent from pre-launching. diff --git a/windows/client-management/includes/allow-printing-shortdesc.md b/windows/client-management/includes/allow-printing-shortdesc.md deleted file mode 100644 index 288599efdd..0000000000 --- a/windows/client-management/includes/allow-printing-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to print web content by default. With this policy, you can configure Microsoft Edge to prevent users from printing web content. diff --git a/windows/client-management/includes/allow-saving-history-shortdesc.md b/windows/client-management/includes/allow-saving-history-shortdesc.md deleted file mode 100644 index 8f5084cda1..0000000000 --- a/windows/client-management/includes/allow-saving-history-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy doesn't stop roaming of existing browsing history or browsing history from other devices. diff --git a/windows/client-management/includes/allow-search-engine-customization-shortdesc.md b/windows/client-management/includes/allow-search-engine-customization-shortdesc.md deleted file mode 100644 index d7acad8b8d..0000000000 --- a/windows/client-management/includes/allow-search-engine-customization-shortdesc.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can execute the following tasks in Settings: -- Add new search engines -- Change the default search engine - -With this policy, you can prevent users from customizing the search engine in the Microsoft Edge browser. diff --git a/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md b/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md deleted file mode 100644 index 5774f8089e..0000000000 --- a/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but doesn't prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). diff --git a/windows/client-management/includes/allow-tab-preloading-shortdesc.md b/windows/client-management/includes/allow-tab-preloading-shortdesc.md deleted file mode 100644 index 5008070f5b..0000000000 --- a/windows/client-management/includes/allow-tab-preloading-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows preloading of the Start and New Tab pages during Windows sign-in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs. diff --git a/windows/client-management/includes/allow-web-content-on-new-tab-page-shortdesc.md b/windows/client-management/includes/allow-web-content-on-new-tab-page-shortdesc.md deleted file mode 100644 index 5d9a75ed5a..0000000000 --- a/windows/client-management/includes/allow-web-content-on-new-tab-page-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 11/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads the default New Tab page and lets the users make changes. If you disable this policy, a blank page loads instead of the New Tab page and prevents users from changing it. diff --git a/windows/client-management/includes/allow-windows-app-to-share-data-users-shortdesc.md b/windows/client-management/includes/allow-windows-app-to-share-data-users-shortdesc.md deleted file mode 100644 index 2c63762356..0000000000 --- a/windows/client-management/includes/allow-windows-app-to-share-data-users-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app. Data shared through the SharedLocal folder is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder. diff --git a/windows/client-management/includes/always-show-books-library-shortdesc.md b/windows/client-management/includes/always-show-books-library-shortdesc.md deleted file mode 100644 index a9e0bdb003..0000000000 --- a/windows/client-management/includes/always-show-books-library-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy, you can configure Microsoft Edge to show the Books Library regardless of the device’s country or region. diff --git a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md deleted file mode 100644 index 2560751600..0000000000 --- a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -The Set default search engine policy enables the users to: - -- Set a default search engine -- Configure up to five more search engines, and set any one of them as the default - -If you previously enabled this policy and now want to disable it, doing so results in deletion of all the configured search engines - diff --git a/windows/client-management/includes/configure-adobe-flash-click-to-run-setting-shortdesc.md b/windows/client-management/includes/configure-adobe-flash-click-to-run-setting-shortdesc.md deleted file mode 100644 index d409c6374c..0000000000 --- a/windows/client-management/includes/configure-adobe-flash-click-to-run-setting-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the **Click-to-Run** button. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically. diff --git a/windows/client-management/includes/configure-autofill-shortdesc.md b/windows/client-management/includes/configure-autofill-shortdesc.md deleted file mode 100644 index 74af7970c6..0000000000 --- a/windows/client-management/includes/configure-autofill-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can choose to use the Autofill feature to populate the form fields automatically. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill. diff --git a/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md b/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md deleted file mode 100644 index 935810a840..0000000000 --- a/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge doesn't send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID. diff --git a/windows/client-management/includes/configure-cookies-shortdesc.md b/windows/client-management/includes/configure-cookies-shortdesc.md deleted file mode 100644 index eeb223000b..0000000000 --- a/windows/client-management/includes/configure-cookies-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies. diff --git a/windows/client-management/includes/configure-do-not-track-shortdesc.md b/windows/client-management/includes/configure-do-not-track-shortdesc.md deleted file mode 100644 index d69135a7e9..0000000000 --- a/windows/client-management/includes/configure-do-not-track-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge doesn't send ‘Do Not Track’ requests to websites that ask for tracking information. However, users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. diff --git a/windows/client-management/includes/configure-enterprise-mode-site-list-shortdesc.md b/windows/client-management/includes/configure-enterprise-mode-site-list-shortdesc.md deleted file mode 100644 index f98aa94435..0000000000 --- a/windows/client-management/includes/configure-enterprise-mode-site-list-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode. diff --git a/windows/client-management/includes/configure-favorites-bar-shortdesc.md b/windows/client-management/includes/configure-favorites-bar-shortdesc.md deleted file mode 100644 index 661818a582..0000000000 --- a/windows/client-management/includes/configure-favorites-bar-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge hides the favorites bar by default but shows it on the Start and New Tab pages. Also, by default, the Favorites Bar toggle, in Settings, is set to Off but enabled letting users make changes. With this policy, you can configure Microsoft Edge to either show or hide the Favorites Bar on all pages. diff --git a/windows/client-management/includes/configure-home-button-shortdesc.md b/windows/client-management/includes/configure-home-button-shortdesc.md deleted file mode 100644 index 17d1b68784..0000000000 --- a/windows/client-management/includes/configure-home-button-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the home button to load the New Tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button. diff --git a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md deleted file mode 100644 index b16c3d18e4..0000000000 --- a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -You can define a behavior for the Microsoft Edge browser, which it shall display when part of many applications running on a kiosk device. - -> [!NOTE] -> You can define the browser's behavior only if you have the assigned access privileges. - -You can also define a behavior when Microsoft Edge serves as a single application. - -You can facilitate the following functionalities in the Microsoft Edge browser: -- Execution of InPrivate full screen -- Execution of InPrivate multi-tab with a tailored experience for kiosks -- Provision for normal browsing diff --git a/windows/client-management/includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md b/windows/client-management/includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md deleted file mode 100644 index 767c933e7c..0000000000 --- a/windows/client-management/includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -You can configure Microsoft Edge kiosk mode to reset to the configured start experience after a specified amount of idle time in minutes (0-1440). The reset timer begins after the last user interaction. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge kiosk mode resets after 30 seconds. Resetting to the configured start experience deletes the current user’s browsing data. diff --git a/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md b/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md deleted file mode 100644 index 26dc5e0d88..0000000000 --- a/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allows users to make changes. With this policy, you can configure Microsoft Edge to load the Start page, New Tab page, or the previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy. diff --git a/windows/client-management/includes/configure-password-manager-shortdesc.md b/windows/client-management/includes/configure-password-manager-shortdesc.md deleted file mode 100644 index f0b41c5b0f..0000000000 --- a/windows/client-management/includes/configure-password-manager-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge uses Password Manager automatically, allowing users to manager passwords locally. Disabling this policy restricts Microsoft Edge from using Password Manager. Don’t configure this policy if you want to let users choose to save and manage passwords locally using Password Manager. diff --git a/windows/client-management/includes/configure-pop-up-blocker-shortdesc.md b/windows/client-management/includes/configure-pop-up-blocker-shortdesc.md deleted file mode 100644 index a34c788e1e..0000000000 --- a/windows/client-management/includes/configure-pop-up-blocker-shortdesc.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge turns off Pop-up Blocker, which opens pop-up windows. Enabling this policy turns on Pop-up Blocker preventing pop-up windows from opening. If you want users to choose to use Pop-up Blocker, don’t configure this policy. - diff --git a/windows/client-management/includes/configure-search-suggestions-in-address-bar-shortdesc.md b/windows/client-management/includes/configure-search-suggestions-in-address-bar-shortdesc.md deleted file mode 100644 index 71b3e06d0d..0000000000 --- a/windows/client-management/includes/configure-search-suggestions-in-address-bar-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can choose to see search suggestions in the Address bar of Microsoft Edge. Disabling this policy hides the search suggestions and enabling this policy shows the search suggestions. diff --git a/windows/client-management/includes/configure-start-pages-shortdesc.md b/windows/client-management/includes/configure-start-pages-shortdesc.md deleted file mode 100644 index 76e4a07003..0000000000 --- a/windows/client-management/includes/configure-start-pages-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users can't make changes. diff --git a/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md b/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md deleted file mode 100644 index 1682bc2ca2..0000000000 --- a/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users can't disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. diff --git a/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md b/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md deleted file mode 100644 index 12bcdd34b8..0000000000 --- a/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies can't be changed, and they remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start pages or any Start page configured with the Configure Start pages policy. diff --git a/windows/client-management/includes/do-not-sync-browser-settings-shortdesc.md b/windows/client-management/includes/do-not-sync-browser-settings-shortdesc.md deleted file mode 100644 index b269a7f3e3..0000000000 --- a/windows/client-management/includes/do-not-sync-browser-settings-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, the “browser” group syncs automatically between user’s devices and allowing users to choose to make changes. The “browser” group uses the _Sync your Settings_ option in Settings to sync information like history and favorites. Enabling this policy prevents the “browser” group from using the Sync your Settings option. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option. diff --git a/windows/client-management/includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md b/windows/client-management/includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md deleted file mode 100644 index 0b377e56b6..0000000000 --- a/windows/client-management/includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge does not sync the user’s favorites between IE and Microsoft Edge. Enabling this policy syncs favorites between Internet Explorer and Microsoft Edge. Changes to favorites in one browser reflect in the other, including additions, deletions, modifications, and ordering of favorites. diff --git a/windows/client-management/includes/mdm-enrollment-error-codes.md b/windows/client-management/includes/mdm-enrollment-error-codes.md new file mode 100644 index 0000000000..017a48153f --- /dev/null +++ b/windows/client-management/includes/mdm-enrollment-error-codes.md @@ -0,0 +1,46 @@ +--- +author: vinaypamnani-msft +ms.author: vinpa +ms.prod: windows +ms.topic: include +ms.date: 04/06/2023 +--- + +|Code|ID|Error message| +|--- |--- |--- | +|0x80180001|"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x80180002|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180003|"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180004|"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180005|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x80180006|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x80180007|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180008|"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x80180009|"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS|Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.| +|0x8018000A|"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED|This device is already enrolled. You can contact your system administrator with the error code {0}.| +|0x8018000D|"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| +|0x8018000E|"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x8018000F|"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180010|"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x80180012|"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180013|"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.| +|0x80180014|"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.| +|0x80180015|"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.| +|0x80180016|"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW|The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180017|"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE|The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.| +|0x80180018|"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE|There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180019|"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID|Looks like the server isn't correctly configured. You can try to do this again or contact your system administrator with the error code {0}.| +|"rejectedTermsOfUse"|"idErrorRejectedTermsOfUse"|Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.| +|0x801c0001|"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x801c0002|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x801c0003|"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.| +|0x801c0006|"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x801c000B|"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED|The server being contacted isn't trusted. Contact your system administrator with the error code {0}.| +|0x801c000C|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x801c000E|"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.| +|0x801c000F|"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT|A reboot is required to complete device registration.| +|0x801c0010|"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR|Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.| +|0x801c0011|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x801c0012|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x801c0013|"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x801c0014|"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| diff --git a/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md b/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md deleted file mode 100644 index d5f609cfa6..0000000000 --- a/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can access the about:flags page in Microsoft Edge that is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page. diff --git a/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md b/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md deleted file mode 100644 index f6b222fde2..0000000000 --- a/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading the unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of the unverified file(s). diff --git a/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md b/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md deleted file mode 100644 index d04429bef8..0000000000 --- a/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious sites, allowing them to continue to the site. With this policy though, you can configure Microsoft Edge to prevent users from bypassing the warnings, blocking them from continuing to the site. diff --git a/windows/client-management/includes/prevent-certificate-error-overrides-shortdesc.md b/windows/client-management/includes/prevent-certificate-error-overrides-shortdesc.md deleted file mode 100644 index c73e676517..0000000000 --- a/windows/client-management/includes/prevent-certificate-error-overrides-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge, by default, allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings. diff --git a/windows/client-management/includes/prevent-changes-to-favorites-shortdesc.md b/windows/client-management/includes/prevent-changes-to-favorites-shortdesc.md deleted file mode 100644 index b635ee64e8..0000000000 --- a/windows/client-management/includes/prevent-changes-to-favorites-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can add, import, and make changes to the Favorites list in Microsoft Edge. Enabling this policy locks down the Favorites list in Microsoft Edge, preventing users from making changes. When enabled, Microsoft Edge turns off the Save a Favorite, Import settings, and context menu items, such as Create a new folder. Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. diff --git a/windows/client-management/includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md b/windows/client-management/includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md deleted file mode 100644 index bba9ec1ad5..0000000000 --- a/windows/client-management/includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users with a limited experience. diff --git a/windows/client-management/includes/prevent-first-run-webpage-from-opening-shortdesc.md b/windows/client-management/includes/prevent-first-run-webpage-from-opening-shortdesc.md deleted file mode 100644 index c156c94126..0000000000 --- a/windows/client-management/includes/prevent-first-run-webpage-from-opening-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via an FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch. diff --git a/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md b/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md deleted file mode 100644 index 4209d79579..0000000000 --- a/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -The Microsoft Edge browser allows users to uninstall extensions, by default. When the users work with extensions that come under a policy that is enabled, they can configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any extra permissions requested by future updates of the extension get granted automatically. If - at this stage - you disable the policy, the list of extension package family names (PFNs) defined in this policy get ignored. diff --git a/windows/client-management/includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md b/windows/client-management/includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md deleted file mode 100644 index 037c535aa8..0000000000 --- a/windows/client-management/includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. With this policy, though, you can prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy. diff --git a/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md b/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md deleted file mode 100644 index fe0bc3c307..0000000000 --- a/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge shows localhost IP address while making calls through usage of the WebRTC protocol. Enabling this policy hides the localhost IP addresses. diff --git a/windows/client-management/includes/provision-favorites-shortdesc.md b/windows/client-management/includes/provision-favorites-shortdesc.md deleted file mode 100644 index 6f47ca66c4..0000000000 --- a/windows/client-management/includes/provision-favorites-shortdesc.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -You can customize the Favorites list in the Microsoft Edge browser. Customization of the favorites list includes: - -- Creating a standard list - - This standard list includes: - - Folders (which you can add) - - the list of favorites that you manually add, after creating the standard list - -This customized favorite is the final version. - - diff --git a/windows/client-management/includes/send-all-intranet-sites-to-ie-shortdesc.md b/windows/client-management/includes/send-all-intranet-sites-to-ie-shortdesc.md deleted file mode 100644 index 3b17cd7e5f..0000000000 --- a/windows/client-management/includes/send-all-intranet-sites-to-ie-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, all websites, including intranet sites, open in Microsoft Edge automatically. Only enable this policy if there are known compatibility problems with Microsoft Edge. Enabling this policy loads only intranet sites in Internet Explorer 11 automatically. diff --git a/windows/client-management/includes/set-default-search-engine-shortdesc.md b/windows/client-management/includes/set-default-search-engine-shortdesc.md deleted file mode 100644 index 958dd67138..0000000000 --- a/windows/client-management/includes/set-default-search-engine-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge uses the search engine specified in App settings, letting users make changes at any time unless the Allow search engine customization policy is disabled, which restricts users from making changes. With this policy, you can either remove or use the policy-set search engine. When you remove the policy-set search engine, Microsoft Edge uses the specified search engine for the market, which lets users make changes to the default search engine. You can use the policy-set search engine specified in the OpenSearch XML, which prevents users from making changes. diff --git a/windows/client-management/includes/set-home-button-url-shortdesc.md b/windows/client-management/includes/set-home-button-url-shortdesc.md deleted file mode 100644 index 67e62738a6..0000000000 --- a/windows/client-management/includes/set-home-button-url-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge shows the home button and loads the Start page, and locks down the home button to prevent users from changing what page loads. Enabling this policy loads a custom URL for the home button. When you enable this policy, and enable the Configure Home Button policy with the _Show home button & set a specific page_ option selected, a custom URL loads when the user clicks the home button. diff --git a/windows/client-management/includes/set-new-tab-url-shortdesc.md b/windows/client-management/includes/set-new-tab-url-shortdesc.md deleted file mode 100644 index a909cbbdc7..0000000000 --- a/windows/client-management/includes/set-new-tab-url-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge loads the default New Tab page by default. Enabling this policy lets you set a New Tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New Tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank. diff --git a/windows/client-management/includes/show-message-when-opening-sites-in-ie-shortdesc.md b/windows/client-management/includes/show-message-when-opening-sites-in-ie-shortdesc.md deleted file mode 100644 index 5fda91f3db..0000000000 --- a/windows/client-management/includes/show-message-when-opening-sites-in-ie-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the _Keep going in Microsoft Edge_ link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both. diff --git a/windows/client-management/includes/unlock-home-button-shortdesc.md b/windows/client-management/includes/unlock-home-button-shortdesc.md deleted file mode 100644 index 722998c5bf..0000000000 --- a/windows/client-management/includes/unlock-home-button-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, when you enable the Configure Home Button policy or provide a URL in the Set Home Button URL policy, Microsoft Edge locks down the home button to prevent users from changing the settings. When you enable this policy, users can make changes to the home button even if you enabled the Configure Home Button or Set Home Button URL policies. diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index d782edc5b3..8b288e7905 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -15,7 +15,7 @@ metadata: author: aczechowski ms.author: aaroncz manager: dougeby - ms.date: 03/28/2022 #Required; mm/dd/yyyy format. + ms.date: 04/13/2023 localization_priority: medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -37,9 +37,9 @@ landingContent: - text: Enterprise settings, policies, and app management url: windows-mdm-enterprise-settings.md - text: Windows Tools/Administrative Tools - url: administrative-tools-in-windows-10.md + url: client-tools/administrative-tools-in-windows.md - text: Create mandatory user profiles - url: mandatory-user-profile.md + url: client-tools/mandatory-user-profile.md - title: Device enrollment linkLists: diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md deleted file mode 100644 index 1ed28e0f9b..0000000000 --- a/windows/client-management/manage-corporate-devices.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Manage corporate devices -description: You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -keywords: [MDM, device management] -ms.prod: windows-client -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/14/2021 -ms.topic: article -ms.technology: itpro-manage ---- - -# Manage corporate devices - - -**Applies to** - -- Windows 10 -- Windows 11 - -You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10 and Windows 11. - -## In this section - -| Topic | Description | -| --- | --- | -| [Manage Windows 10 (and Windows 11) in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10 (and Windows 11), including deploying Windows 10 (and Windows 11) in a mixed environment | -| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC | -| [Manage Windows 10 (and Windows 11) and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees | -| [New policies for Windows 10 (and Windows 11)](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 | -| [Group Policies that apply only to Windows Enterprise and Windows Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education | -| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 (and Windows 11) in their organizations | - - - -## Learn more - -[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Configuration Manager](/mem/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm) - -[Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/) - -[Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery) - -[Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768) - -Microsoft Virtual Academy course: [Configuration Manager & Windows Intune](/training/) - diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md deleted file mode 100644 index 0bb88c2d24..0000000000 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Manage the Settings app with Group Policy (Windows 10 and Windows 11) -description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. -ms.prod: windows-client -author: vinaypamnani-msft -ms.date: 09/14/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.technology: itpro-manage ---- - -# Manage the Settings app with Group Policy - -**Applies to** - -- Windows 10 -- Windows 11 -- Windows Server 2016 - -You can now manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. -To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. - ->[!Note] ->Each server that you want to manage access to the Settings App must be patched. - -If your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management, to centrally manage the new policies, copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store). - -This policy is available for both User and Computer depending on the version of the OS. Windows Server 2016 with KB 4457127 applied will have both User and Computer policy. Windows 10, version 1703, added Computer policy for the Settings app. Windows 10, version 1809, added User policy for the Settings app. - -Policy paths: - -**Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. - -**User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. - -![Settings page visibility policy.](images/settings-page-visibility-gp.png) - -## Configuring the Group Policy - -The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). - ->[!NOTE] -> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string. - -Here are some examples: - -- To show only the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **ShowOnly:Network-Proxy;Network-Ethernet**. -- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**. \ No newline at end of file diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 37aae00014..3595276771 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -1,24 +1,25 @@ --- -title: Manage Windows 10 in your organization - transitioning to modern management -description: This article offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. +title: Manage Windows devices in your organization - transitioning to modern management +description: This article offers strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment. ms.prod: windows-client ms.localizationpriority: medium -ms.date: 06/03/2022 +ms.date: 04/05/2023 author: vinaypamnani-msft ms.author: vinpa ms.reviewer: manager: aaroncz ms.topic: overview ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Manage Windows 10 in your organization - transitioning to modern management +# Manage Windows devices in your organization - transitioning to modern management -Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization. +Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows devices gradually, following the normal upgrade schedules used in your organization. -Your organization might have considered bringing in Windows 10 devices and downgrading them to an earlier version of Windows until everything is in place for a formal upgrade process. This downgrade may appear to save costs due to standardization. But, you typically save more if you don't downgrade, and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it's easy for versions to coexist. - -Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster. +Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows faster. This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance. @@ -27,64 +28,58 @@ This six-minute video demonstrates how users can bring in a new retail device an > [!NOTE] > The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal) -This article offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. It covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle: +This article offers guidance on strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment. It covers [management options](#reviewing-the-management-options-for-windows) plus the four stages of the device lifecycle: - [Deployment and Provisioning](#deployment-and-provisioning) - [Identity and Authentication](#identity-and-authentication) - [Configuration](#settings-and-configuration) - [Updating and Servicing](#updating-and-servicing) -## Reviewing the management options with Windows 10 +## Reviewing the management options for Windows -Windows 10 offers a range of management options, as shown in the following diagram: +Windows offers a range of management options, as shown in the following diagram: :::image type="content" source="images/windows-10-management-range-of-options.png" alt-text="Diagram of the path to modern IT." lightbox="images/windows-10-management-range-of-options.png"::: -As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business. +As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, and Microsoft 365. ## Deployment and provisioning -With Windows 10, you can continue to use traditional OS deployment, but you can also "manage out of the box." To transform new devices into fully configured, fully managed devices, you can: +With Windows, you can continue to use traditional OS deployment, but you can also "manage out of the box". To transform new devices into fully configured, fully managed devices, you can: -- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/). +- Avoid re-imaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/). - Create self-contained provisioning packages built with the Windows Configuration Designer. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages). - Use traditional imaging techniques such as deploying custom images using [Configuration Manager](/mem/configmgr/core/understand/introduction). -You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive - everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today. +You have multiple options for [upgrading to Windows 10 and Windows 11](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 10, you can use the robust in-place upgrade process for a fast, reliable move to Windows 11 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive - everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today. ## Identity and authentication -You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them. +You can use Windows and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them. You can envision user and device management as falling into these two categories: -- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices: +- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows, your employees can self-provision their devices: - - For corporate devices, they can set up corporate access with [Azure AD join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud. + - For corporate devices, they can set up corporate access with [Azure AD join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud. Azure AD join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. - - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device. + - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device. - **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises. - With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides: + With Windows, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides: - - Single sign-on to cloud and on-premises resources from everywhere + - Single sign-on to cloud and on-premises resources from everywhere + - [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-enable) + - [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device + - [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) + - Windows Hello - - [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-enable) - - - [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device - - - [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) - - - Windows Hello - - Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/mem/configmgr/core/understand/introduction) client or group policy. - -For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](/azure/active-directory/devices/overview). + Domain joined PCs and tablets can continue to be managed with [Configuration Manager](/mem/configmgr/core/understand/introduction) client or group policy. As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD. @@ -92,19 +87,19 @@ As you review the roles in your organization, you can use the following generali ## Settings and configuration -Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. +Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. You can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. -**MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, group policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using group policy that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go. +- **MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, group policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using group policy that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go. -**Group policy** and **Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer's 1,500 configurable group policy settings. If so, group policy and Configuration Manager continue to be excellent management choices: +- **Group policy** and **Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level using group policy settings. If so, group policy and Configuration Manager continue to be excellent management choices: -- Group policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add group policy settings with each new version of Windows. + - **Group policy** is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add group policy settings with each new version of Windows. -- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment. + - **Configuration Manager** remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment. ## Updating and servicing -With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple - often automatic - patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios). +With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on General Availability Channel or Long-Term Servicing Channel, devices receive the latest feature and quality updates through simple - often automatic - patching processes. For more information, see [Windows deployment scenarios](/windows/deployment/windows-10-deployment-scenarios). MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules. @@ -116,11 +111,11 @@ There are various steps you can take to begin the process of modernizing device **Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs. -**Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. +**Review the decision trees in this article.** With the different options in Windows, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. -**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policy-configuration-service-provider.md). +**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on modern Windows devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policies-in-policy-csp-supported-by-group-policy.md). -**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. For more information, see the following articles: +**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows devices by using both Configuration Manager and Intune. For more information, see the following articles: - [Co-management for Windows devices](/mem/configmgr/comanage/overview) - [Prepare Windows devices for co-management](/mem/configmgr/comanage/how-to-prepare-Win10) @@ -130,5 +125,5 @@ There are various steps you can take to begin the process of modernizing device ## Related articles - [What is Intune?](/mem/intune/fundamentals/what-is-intune) -- [Windows 10 policy CSP](./mdm/policy-configuration-service-provider.md) -- [Windows 10 configuration service providers](./mdm/index.yml) +- [Policy CSP](./mdm/policy-configuration-service-provider.md) +- [Configuration service providers reference](./mdm/index.yml) diff --git a/windows/client-management/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm-collect-logs.md similarity index 81% rename from windows/client-management/diagnose-mdm-failures-in-windows-10.md rename to windows/client-management/mdm-collect-logs.md index 246e8babc9..d544eab6d4 100644 --- a/windows/client-management/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm-collect-logs.md @@ -1,6 +1,6 @@ --- -title: Diagnose MDM failures in Windows 10 -description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server. +title: Collect MDM logs +description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows devices managed by an MDM server. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -8,31 +8,36 @@ ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/25/2018 +ms.date: 04/13/2023 ms.collection: - - highpri - - tier2 +- highpri +- tier2 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Diagnose MDM failures in Windows 10 +# Collect MDM logs -To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop. The following sections describe the procedures for collecting MDM logs. +To help diagnose enrollment or device management issues in Windows devices managed by an MDM server, you can examine the MDM logs collected from the desktop. The following sections describe the procedures for collecting MDM logs. -## Download the MDM Diagnostic Information log from Windows 10 PCs +## Download the MDM Diagnostic Information log from Windows devices 1. On your managed device, go to **Settings** > **Accounts** > **Access work or school**. -1. Click your work or school account, then click **Info.** +1. Click your work or school account, then click **Info**. + ![Access work or school page in Settings.](images/diagnose-mdm-failures15.png) 1. At the bottom of the **Settings** page, click **Create report**. + ![Access work or school page and then Create report.](images/diagnose-mdm-failures16.png) 1. A window opens that shows the path to the log files. Click **Export**. ![Access work or school log files.](images/diagnose-mdm-failures17.png) -1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. +1. In File Explorer, navigate to `C:\Users\Public\Documents\MDMDiagnostics` to see the report. -## Use command to collect logs directly from Windows 10 PCs +## Use command to collect logs directly from Windows devices You can also collect the MDM Diagnostic Information logs using the following command: @@ -55,9 +60,9 @@ The zip file will have logs according to the areas that were used in the command - MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command - *.evtx: Common event viewer logs microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin.evtx main one that contains MDM events. -## Collect logs directly from Windows 10 PCs +## Collect logs directly from Windows devices -Starting with the Windows 10, version 1511, MDM logs are captured in the Event Viewer in the following location: +MDM logs are captured in the Event Viewer in the following location: - Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider @@ -70,26 +75,26 @@ In this location, the **Admin** channel logs events by default. However, if you ### Collect admin logs 1. Right click on the **Admin** node. -2. Select **Save all events as**. -3. Choose a location and enter a filename. -4. Click **Save**. -5. Choose **Display information for these languages** and then select **English**. -6. Click **Ok**. +1. Select **Save all events as**. +1. Choose a location and enter a filename. +1. Click **Save**. +1. Choose **Display information for these languages** and then select **English**. +1. Click **Ok**. For more detailed logging, you can enable **Debug** logs. Right click on the **Debug** node and then click **Enable Log**. ### Collect debug logs 1. Right click on the **Debug** node. -2. Select **Save all events as**. -3. Choose a location and enter a filename. -4. Click **Save**. -5. Choose **Display information for these languages** and then select **English**. -6. Click **Ok**. +1. Select **Save all events as**. +1. Choose a location and enter a filename. +1. Click **Save**. +1. Choose **Display information for these languages** and then select **English**. +1. Click **Ok**. -You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC running the November 2015 update. +You can open the log files (.evtx files) in the Event Viewer on a Windows device. -## Collect logs remotely from Windows 10 PCs +## Collect logs remotely from Windows devices When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this facility. The [DiagnosticLog CSP](mdm/diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels: @@ -137,7 +142,7 @@ Example: Export the Debug logs ``` -## Collect logs remotely from Windows 10 Holographic +## Collect logs remotely from Windows Holographic For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md). @@ -240,32 +245,32 @@ After the logs are collected on the device, you can retrieve the files through t For best results, ensure that the PC or VM on which you're viewing logs matches the build of the OS from which the logs were collected. 1. Open eventvwr.msc. -2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**. +1. Right-click on **Event Viewer(Local)** and select **Open Saved Log**. ![event viewer screenshot.](images/diagnose-mdm-failures9.png) -3. Navigate to the etl file that you got from the device and then open the file. -4. Click **Yes** when prompted to save it to the new log format. +1. Navigate to the etl file that you got from the device and then open the file. +1. Click **Yes** when prompted to save it to the new log format. ![event viewer prompt.](images/diagnose-mdm-failures10.png) ![diagnose mdm failures.](images/diagnose-mdm-failures11.png) -5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. +1. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. ![event viewer actions.](images/diagnose-mdm-failures12.png) -6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. +1. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. ![event filter for Device Management.](images/diagnose-mdm-failures13.png) -7. Now you're ready to start reviewing the logs. +1. Now you're ready to start reviewing the logs. ![event viewer review logs.](images/diagnose-mdm-failures14.png) ## Collect device state data -Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md), version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files. +Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md). You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files. ```xml diff --git a/windows/client-management/mdm-diagnose-enrollment.md b/windows/client-management/mdm-diagnose-enrollment.md new file mode 100644 index 0000000000..5022ba4bf1 --- /dev/null +++ b/windows/client-management/mdm-diagnose-enrollment.md @@ -0,0 +1,121 @@ +--- +title: Diagnose MDM enrollment failures +description: Learn how to diagnose enrollment failures for Windows devices +ms.reviewer: +manager: aaroncz +ms.author: vinpa +ms.topic: article +ms.prod: windows-client +ms.technology: itpro-manage +author: vinaypamnani-msft +ms.date: 04/12/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +--- + +# Diagnose MDM enrollment + +This article provides suggestions for troubleshooting device enrollment issues for MDM. + +## Verify auto-enrollment requirements and settings + +To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service: + +1. Verify that the user who is going to enroll the device has a valid [Intune license](/mem/intune/fundamentals/licenses). + + :::image type="content" alt-text="Screenshot of Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png"::: + +1. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). + + ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png) + + > [!IMPORTANT] + > For bring-your-own devices (BYOD devices), the Mobile Application Management (MAM) user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. + > + > For corporate-owned devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. + +1. Verify that the device is running a [supported version of Windows](/windows/release-health/supported-versions-windows-client). + +1. Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. + + You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**. + + ![Auto-enrollment device status result.](images/auto-enrollment-device-status-result.png) + + Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**. + + ![Auto-enrollment Azure AD prt verification.](images/auto-enrollment-azureadprt-verification.png) + + This information can also be found on the Azure AD device list. + +1. Verify that the MDM discovery URL during auto-enrollment is `https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc`. + + ![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png) + +1. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**. + + :::image type="content" alt-text="Screenshot of Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png"::: + +1. When using group policy for enrollment, verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully. + +1. Verify that Microsoft Intune allows enrollment of Windows devices. + + :::image type="content" alt-text="Screenshot of Enrollment of Windows devices." source="images/auto-enrollment-enrollment-of-windows-devices.png" lightbox="images/auto-enrollment-enrollment-of-windows-devices.png"::: + +## Troubleshoot group policy enrollment + +Investigate the logs if you have issues even after performing all the verification steps. The first log file to investigate is the event log on the target Windows device. To collect Event Viewer logs: + +1. Open Event Viewer. + +1. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-Diagnostic-Provider** > **Admin**. + + > [!TIP] + > For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc). + +1. Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully: + + :::image type="content" alt-text="Screenshot of Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png" lightbox="images/auto-enrollment-troubleshooting-event-id-75.png"::: + +If you can't find event ID 75 in the logs, it indicates that the auto-enrollment failed. This failure can happen because of the following reasons: + +- The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here's an example screenshot that shows that the auto-enrollment failed: + + :::image type="content" alt-text="Screenshot of Event ID 76." source="images/auto-enrollment-troubleshooting-event-id-76.png" lightbox="images/auto-enrollment-troubleshooting-event-id-76.png"::: + + To troubleshoot, check the error code that appears in the event. For more information, see [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors). + +- The auto-enrollment didn't trigger at all. In this case, you'll not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described below: + + The auto-enrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot: + + :::image type="content" alt-text="Screenshot of Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png"::: + + > [!NOTE] + > This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task. + + This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Azure Active Directory is triggered by event ID 107. + + :::image type="content" alt-text="Screenshot of Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png"::: + + When the task is completed, a new event ID 102 is logged. + + :::image type="content" alt-text="Screenshot of Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png"::: + + The task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It doesn't indicate the success or failure of auto-enrollment. + + If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Azure AD is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required. + One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: + + :::image type="content" alt-text="Screenshot of Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png"::: + + By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs** > **Microsoft** > **Windows** > **Task Scheduler** > **Operational** event log file under event ID 7016. + + A resolution to this issue is to remove the registry key manually. If you don't know which registry key to remove, go for the key that displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: + + :::image type="content" alt-text="Screenshot showing manually deleted entries." source="images/auto-enrollment-activation-verification-less-entries.png" lightbox="images/auto-enrollment-activation-verification-less-entries.png"::: + +## Error codes + +[!INCLUDE [Enrollment error codes](includes/mdm-enrollment-error-codes.md)] diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index 7023a7b517..7974866d71 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -1,9 +1,6 @@ --- -title: MDM enrollment of Windows 10-based devices -description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organization’s resources. -MS-HAID: - - 'p\_phdevicemgmt.enrollment\_ui' - - 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' +title: MDM enrollment of Windows devices +description: Learn about mobile device management (MDM) enrollment of Windows devices to simplify access to your organization's resources. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -12,280 +9,208 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.collection: - - highpri - - tier2 -ms.date: 12/31/2017 +- highpri +- tier2 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# MDM enrollment of Windows 10-based devices +# MDM enrollment of Windows devices -In today’s cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization’s resources, such as apps, the corporate network, and email. +In today's cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization's resources, such as apps, the corporate network, and email. > [!NOTE] > When you connect your device using mobile device management (MDM) enrollment, your organization may enforce certain policies on your device. -## Connect corporate-owned Windows 10-based devices +## Connect corporate-owned Windows devices -You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 doesn't require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain. +You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows doesn't require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain. ![active directory azure ad signin.](images/unifiedenrollment-rs1-1.png) -### Connect your device to an Active Directory domain (join a domain) - -Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education can be connected to an Active Directory domain using the Settings app. - > [!NOTE] -> Mobile devices can't be connected to an Active Directory domain. - -### Out-of-box-experience - -Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) isn't supported. To join a domain: - -1. On the **Who Owns this PC?** page, select **My work or school owns it**. - - ![oobe creation of a local account](images/unifiedenrollment-rs1-2.png) - -2. Next, select **Join a domain**. - - ![select domain or azure-ad](images/unifiedenrollment-rs1-3.png) - -3. You'll see a prompt to set up a local account on the device. Enter your local account details, and then select **Next** to continue. - - ![create pc account.](images/unifiedenrollment-rs1-4.png) - -### Use the Settings app - -To create a local account and connect the device: - -1. Launch the Settings app. - - ![windows settings screen](images/unifiedenrollment-rs1-5.png) - -2. Next, select **Accounts**. - - ![windows settings accounts chosen](images/unifiedenrollment-rs1-6.png) - -3. Navigate to **Access work or school**. - - ![choose access work or school](images/unifiedenrollment-rs1-7.png) - -4. Select **Connect**. - - ![connect to work or to school](images/unifiedenrollment-rs1-8.png) - -5. Under **Alternate actions**, select **Join this device to a local Active Directory domain**. - - ![join account to active directory domain.](images/unifiedenrollment-rs1-9.png) - -6. Type in your domain name, follow the instructions, and then select **Next** to continue. After you complete the flow and restart your device, it should be connected to your Active Directory domain. You can now sign in to the device using your domain credentials. - - ![type in domain name.](images/unifiedenrollment-rs1-10.png) - -### Help with connecting to an Active Directory domain - -There are a few instances where your device can't be connected to an Active Directory domain. - -| Connection issue | Description | -|-----------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Your device is already connected to an Active Directory domain. | Your device can only be connected to a single Active Directory domain at a time. | -| Your device is connected to an Azure AD domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. | -| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue. | -| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Active Directory domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | - - +> For devices joined to on-premises Active Directory, see [Group policy enrollment](enroll-a-windows-10-device-automatically-using-group-policy.md). ### Connect your device to an Azure AD domain (join Azure AD) All Windows devices can be connected to an Azure AD domain. These devices can be connected during OOBE. Additionally, desktop devices can be connected to an Azure AD domain using the Settings app. -### Out-of-box-experience +#### Out-of-box-experience To join a domain: -1. Select **My work or school owns it**, then select **Next.** +1. Select **My work or school owns it**, then select **Next.** ![oobe - local account creation](images/unifiedenrollment-rs1-11.png) -2. Select **Join Azure AD**, and then select **Next.** +1. Select **Join Azure AD**, and then select **Next.** ![choose the domain or azure ad](images/unifiedenrollment-rs1-12.png) -3. Type in your Azure AD username. This username is the email address you use to log into Microsoft Office 365 and similar services. +1. Type in your Azure AD username. This username is the email address you use to log into Microsoft Office 365 and similar services. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page will change to show the organization's custom branding, and you'll be able to enter your password directly on this page. If the tenant is part of a federated domain, you'll be redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication. - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain. + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. + + If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). After you complete the flow, your device will be connected to your organization's Azure AD domain. ![azure ad signin.](images/unifiedenrollment-rs1-13.png) -### Use the Settings app - -To create a local account and connect the device: - -1. Launch the Settings app. - - ![screen displaying windows settings](images/unifiedenrollment-rs1-14.png) - -2. Next, navigate to **Accounts**. - - ![choose windows settings accounts](images/unifiedenrollment-rs1-15.png) - -3. Navigate to **Access work or school**. - - ![choose option of access work or school](images/unifiedenrollment-rs1-16.png) - -4. Select **Connect**. - - ![Option of connect to work or school](images/unifiedenrollment-rs1-17.png) - -5. Under **Alternate Actions**, select **Join this device to Azure Active Directory**. - - ![option to join work or school account to azure ad](images/unifiedenrollment-rs1-18.png) - -6. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. - - ![azure ad sign in.](images/unifiedenrollment-rs1-19.png) - -7. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. - - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - - If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. - - After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now sign out of your current account and sign in using your Azure AD username. - - ![corporate sign in screen](images/unifiedenrollment-rs1-20.png) - -### Help with connecting to an Azure AD domain - -There are a few instances where your device can't be connected to an Azure AD domain. - -| Connection issue | Description | -|-----------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. | -| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. | -| Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You can't connect to both simultaneously. | -| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue. | -| Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | -| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | - - - -## Connect personally owned devices - - -Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 doesn't require a personal Microsoft account on devices to connect to work or school. - -### Connect to a work or school account - -All Windows 10-based devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps, such as the universal Office apps. - -### Use the Settings app - -To create a local account and connect the device: - -1. Launch the Settings app, and then select **Accounts** >**Start** > **Settings** > **Accounts**. - - ![screen of windows settings](images/unifiedenrollment-rs1-21-b.png) - -2. Navigate to **Access work or school**. - - ![user's option of access work or school](images/unifiedenrollment-rs1-23-b.png) - -3. Select **Connect**. - - ![connect button to access the option of work or school.](images/unifiedenrollment-rs1-24-b.png) - -4. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. - - ![sync work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png) - -5. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. - - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - - If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. - - Starting in Windows 10, version 1709, you'll see the status page that shows the progress of your device being set up. - - ![corporate sign in - screen and option](images/unifiedenrollment-rs1-26.png) - -6. After you complete the flow, your Microsoft account will be connected to your work or school account. - - ![account successfully added.](images/unifiedenrollment-rs1-27.png) - -### Connect to MDM on a desktop (enrolling in device management) - -All Windows 10-based devices can be connected to MDM. You can connect to an MDM through the Settings app. - -### Use the Settings app +#### Use the Settings app To create a local account and connect the device: 1. Launch the Settings app. - ![screen that displays windows settings](images/unifiedenrollment-rs1-28.png) + ![screen displaying windows settings](images/unifiedenrollment-rs1-14.png) -2. Next, navigate to **Accounts**. +1. Next, navigate to **Accounts**. - ![windows settings accounts page.](images/unifiedenrollment-rs1-29.png) + ![choose windows settings accounts](images/unifiedenrollment-rs1-15.png) -3. Navigate to **Access work or school**. +1. Navigate to **Access work or school**. - ![access work or school.](images/unifiedenrollment-rs1-30.png) + ![choose option of access work or school](images/unifiedenrollment-rs1-16.png) -4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link). +1. Select **Connect**. - ![connect to work or school screen](images/unifiedenrollment-rs1-31.png) + ![Option of connect to work or school](images/unifiedenrollment-rs1-17.png) -5. Type in your work email address. +1. Under **Alternate Actions**, select **Join this device to Azure Active Directory**. - ![set up work or school account screen](images/unifiedenrollment-rs1-32.png) + ![option to join work or school account to azure ad](images/unifiedenrollment-rs1-18.png) -6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for more authentication information. +1. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you'll see the enrollment progress on screen. + ![azure ad sign in.](images/unifiedenrollment-rs1-19.png) - ![screen to set up your device](images/unifiedenrollment-rs1-33-b.png) + If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. - After you complete the flow, your device will be connected to your organization’s MDM. + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. + + If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. + + After you reach the end of the flow, your device should be connected to your organization's Azure AD domain. You may now sign out of your current account and sign in using your Azure AD username. + + ![corporate sign in screen](images/unifiedenrollment-rs1-20.png) + +#### Help with connecting to an Azure AD domain + +There are a few instances where your device can't be connected to an Azure AD domain. + +| Connection issue | Description | +|--|--| +| Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. | +| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. | +| Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You can't connect to both simultaneously. | +| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You'll need to switch to an administrator account to continue. | +| Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | +| Your device is running Home edition. | This feature isn't available on Windows Home edition, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Pro, Enterprise, or Education edition to continue. | + +## Connect personally owned devices + +Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows devices don't require a personal Microsoft account on devices to connect to work or school. + +All Windows devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps, such as the universal Office apps. + +### Register device in AAD and enroll in MDM + +To create a local account and connect the device: + +1. Launch the Settings app, and then select **Accounts** >**Start** > **Settings** > **Accounts**. + + ![screen of windows settings](images/unifiedenrollment-rs1-21-b.png) + +1. Navigate to **Access work or school**. + + ![user's option of access work or school](images/unifiedenrollment-rs1-23-b.png) + +1. Select **Connect**. + + ![connect button to access the option of work or school.](images/unifiedenrollment-rs1-24-b.png) + +1. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. + + ![sync work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png) + +1. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. + + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. + + If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). + + You'll see the status page that shows the progress of your device being set up. + + ![corporate sign in - screen and option](images/unifiedenrollment-rs1-26.png) + +1. After you complete the flow, your Microsoft account will be connected to your work or school account. + + ![account successfully added.](images/unifiedenrollment-rs1-27.png) ### Help with connecting personally owned devices There are a few instances where your device may not be able to connect to work. -| Error Message | Description | -|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Your device is already connected to your organization’s cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. | -| We couldn't find your identity in your organization’s cloud. | The username you entered wasn't found on your Azure AD tenant. | -| Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Configuration Manager. | -| You don’t have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. | -| We couldn’t auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | +| Error Message | Description | +|--|--| +| Your device is already connected to your organization's cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. | +| We couldn't find your identity in your organization's cloud. | The username you entered wasn't found on your Azure AD tenant. | +| Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Configuration Manager. | +| You don't have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. | +| We couldn't auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | +## Enroll in device management only -## Connect your Windows 10-based device to work using a deep link +All Windows devices can be connected to MDM. You can connect to an MDM through the Settings app. To create a local account and connect the device: +1. Launch the Settings app. -Windows 10-based devices may be connected to work using a deep link. Users will be able to select or open a link in a particular format from anywhere in Windows 10, and be directed to the new enrollment experience. + ![screen that displays windows settings](images/unifiedenrollment-rs1-28.png) -In Windows 10, version 1607, deep linking will only be supported for connecting devices to MDM. It will not support adding a work or school account, joining a device to Azure AD, and joining a device to Active Directory. +1. Next, navigate to **Accounts**. + + ![windows settings accounts page.](images/unifiedenrollment-rs1-29.png) + +1. Navigate to **Access work or school**. + + ![access work or school.](images/unifiedenrollment-rs1-30.png) + +1. Select the **Enroll only in device management** link. + + ![connect to work or school screen](images/unifiedenrollment-rs1-31.png) + +1. Type in your work email address. + + ![set up work or school account screen](images/unifiedenrollment-rs1-32.png) + +1. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you'll be presented with a new window that will ask you for more authentication information. + + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. You'll see the enrollment progress on screen. + + ![screen to set up your device](images/unifiedenrollment-rs1-33-b.png) + + After you complete the flow, your device will be connected to your organization's MDM. + +## Connect your Windows device to work using a deep link + +Windows devices may be connected to work using a deep link. Users will be able to select or open a link in a particular format from anywhere in Windows, and be directed to the new enrollment experience. The deep link used for connecting your device to work will always use the following format. -**ms-device-enrollment:?mode={mode\_name}** +**ms-device-enrollment:?mode={mode\_name}**: -| Parameter | Description | Supported Value for Windows 10| -|-----------|--------------------------------------------------------------|----------------------------------------------| -| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory-joined. | -|username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string | -| servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string| -| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string | -| deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to pass in a unique device identifier. Added in Windows 10, version 1703. | GUID | -| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string | -| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned | - -> [!NOTE] -> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later. +| Parameter | Description | Supported Value for Windows | +|--|--|--| +| mode | Describes which mode will be executed in the enrollment app. | Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory-joined. | +| username | Specifies the email address or UPN of the user who should be enrolled into MDM. | string | +| servername | Specifies the MDM server URL that will be used to enroll the device. | string | +| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used as a token to validate the enrollment request. | string | +| deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to pass in a unique device identifier. | GUID | +| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to identify which tenant the device or user belongs to. | GUID or string | +| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned | ### Connect to MDM using a deep link @@ -297,9 +222,9 @@ The deep link used for connecting your device to work will always use the follow To connect your devices to MDM using deep links: -1. Starting with Windows 10, version 1607, create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**: +1. Create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**: - (This link will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.) + (This link will launch the flow equivalent to the Enroll into the device management option.) - IT admins can add this link to a welcome email that users can select to enroll into MDM. @@ -310,13 +235,13 @@ To connect your devices to MDM using deep links: - IT admins can also add this link to an internal web page that users refer to enrollment instructions. -2. After you select the link or run it, Windows 10 launches the enrollment app in a special mode that only allows MDM enrollments (similar to the Enroll into device management option in Windows 10, version 1511). +1. After you select the link or run it, Windows launches the enrollment app in a special mode that only allows MDM enrollments (similar to the Enroll into device management option). Type in your work email address. ![set up a work or school account screen](images/deeplinkenrollment3.png) -3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for more authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. +1. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you'll be presented with a new window that will ask you for more authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. After you complete the flow, your device will be connected to your organization's MDM. @@ -324,7 +249,6 @@ To connect your devices to MDM using deep links: ## Manage connections - To manage your work or school connections, select **Settings** > **Accounts** > **Access work or school**. Your connections will show on this page and selecting one will expand options for that connection. ![managing work or school account.](images/unifiedenrollment-rs1-34-b.png) @@ -333,41 +257,30 @@ To manage your work or school connections, select **Settings** > **Accounts** > The **Info** button can be found on work or school connections involving MDM. This button is included in the following scenarios: -- Connecting your device to an Azure AD domain that has auto-enroll into MDM configured. -- Connecting your device to a work or school account that has auto-enroll into MDM configured. -- Connecting your device to MDM. +- Connecting your device to an Azure AD domain that has auto-enroll into MDM configured. +- Connecting your device to a work or school account that has auto-enroll into MDM configured. +- Connecting your device to MDM. -Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session that forces your device to communicate to the MDM server and fetch any updates to policies if needed. +Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You'll be able to view your organization's support information (if configured) on this page. You'll also be able to start a sync session that forces your device to communicate to the MDM server and fetch any updates to policies if needed. -Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here's an example screenshot. +Selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here's an example screenshot. ![work or school info.](images/unifiedenrollment-rs1-35-b.png) -> [!NOTE] -> Starting in Windows 10, version 1709, the **Manage** button is no longer available. - ### Disconnect The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button will remove the connection from the device. There are a few exceptions to this functionality: -- Devices that enforce the AllowManualMDMUnenrollment policy won't allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command. -- On mobile devices, you can't disconnect from Azure AD. These connections can only be removed by wiping the device. +- Devices that enforce the AllowManualMDMUnenrollment policy won't allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command. +- On mobile devices, you can't disconnect from Azure AD. These connections can only be removed by wiping the device. > [!WARNING] > Disconnecting might result in the loss of data on the device. ## Collecting diagnostic logs - You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and then selecting the **Export your management logs** link under **Related Settings**. Next, select **Export**, and follow the path displayed to retrieve your management log files. -Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you'll see the button to create a report, as shown here. - -![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png) - - - - - - +You can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you'll see the button to create a report. +For more information, see [Collect MDM logs](mdm-collect-logs.md). diff --git a/windows/client-management/mdm-known-issues.md b/windows/client-management/mdm-known-issues.md new file mode 100644 index 0000000000..8c3dc27e89 --- /dev/null +++ b/windows/client-management/mdm-known-issues.md @@ -0,0 +1,244 @@ +--- +title: Known issues in MDM +description: Learn about known issues for Windows devices in MDM +ms.reviewer: +manager: aaroncz +ms.author: vinpa +ms.topic: article +ms.prod: windows-client +ms.technology: itpro-manage +author: vinaypamnani-msft +ms.date: 04/12/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +--- + +# Known issues + +## Get command inside an atomic command isn't supported + +A Get command inside an atomic command isn't supported. + +## Apps installed using WMI classes are not removed + +Applications installed using WMI classes aren't removed when the MDM account is removed from device. + +## Passing CDATA in SyncML does not work + +Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work. + +## SSL settings in IIS server for SCEP must be set to "Ignore" + +The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore". + +:::image type="content" source="images/ssl-settings.png" alt-text="Screenshot of SSL settings in IIS."::: + +## MDM enrollment fails on the Windows device when traffic is going through proxy + +When the Windows device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that doesn't require authentication or remove the proxy setting from the connected network. + +## Server-initiated unenrollment failure + +Server-initiated unenrollment for a device enrolled by adding a work account silently fails to leave the MDM account active. MDM policies and resources are still in place and the client can continue to sync with the server. + +Remote server unenrollment is disabled for mobile devices enrolled via Azure Active Directory Join. It returns an error message to the server. The only way to remove enrollment for a mobile device that is Azure AD joined is by remotely wiping the device. + +## Certificates causing issues with Wi-Fi and VPN + +When using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This dual installation may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We're working to fix this issue. + +## Version information for Windows 11 + +The software version information from **DevDetail/Ext/Microsoft/OSPlatform** doesn't match the version in **Settings** under **System/About**. + +## Multiple certificates might cause Wi-Fi connection instabilities + +In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned doesn't have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate. + +Enterprises deploying certificate-based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as: + +- The user may be prompted to select the certificate. +- The wrong certificate may get auto selected and cause an authentication failure. + +A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication. + +EAP XML must be updated with relevant information for your environment. This task can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: + +- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM's guidance on how to deploy a new Wi-Fi profile. +- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field. + +For information about EAP Settings, see . + +For information about generating an EAP XML, see [EAP configuration](mdm/eap-configuration.md). + +For more information about extended key usage, see . + +For information about adding extended key usage (EKU) to a certificate, see . + +The following list describes the prerequisites for a certificate to be used with EAP: + +- The certificate must have at least one of the following EKU (Extended Key Usage) properties: + - Client Authentication. + - As defined by RFC 5280, this property is a well-defined OID with Value 1.3.6.1.5.5.7.3.2. + - Any Purpose. + - An EKU, defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering. + - All Purpose. + - As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes. +- The user or the computer certificate on the client chains to a trusted root CA. +- The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy. +- The user or the computer certificate doesn't fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server. +- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user. + +The following XML sample explains the properties for the EAP TLS XML including certificate filtering. + +> [!NOTE] +> For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements. + +```xml + + + 13 + + + 0 + 0 + 0 + + + + + + + 13 + + + + + true + + + + + + + false + + + false + false + false + + + + + + ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + + + + + + + + + + + ContostoITEKU + + 1.3.6.1.4.1.311.42.1.15 + + + + + + + + + ContostoITEKU + + + + + Example1 + + + true + + + + + + + + + + + +``` + +> [!NOTE] +> The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd** + +Alternatively you can use the following procedure to create an EAP Configuration XML. + +1. Follow steps 1 through 7 in [EAP configuration](mdm/eap-configuration.md). + +1. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.). + + :::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png"::: + + > [!NOTE] + > For PEAP or TTLS, select the appropriate method and continue following this procedure. + +1. Click the **Properties** button underneath the drop-down menu. + +1. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. + + :::image type="content" alt-text="smart card or other certificate properties window." source="images/certfiltering2.png"::: + +1. In the **Configure Certificate Selection** menu, adjust the filters as needed. + + :::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png"::: + +1. Click **OK** to close the windows to get back to the main `rasphone.exe` dialog box. + +1. Close the rasphone dialog box. + +1. Continue following the procedure in [EAP configuration](mdm/eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering. + +> [!NOTE] +> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)). + +## MDM client will immediately check in with the MDM server after client renews WNS channel URI + +After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. + +## User provisioning failure in Azure Active Directory-joined devices + +For Azure AD joined devices, provisioning `.\User` resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. + +## Requirements to note for VPN certificates also used for Kerberos Authentication + +If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that don't meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. + +## Device management agent for the push-button reset is not working + +The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service. diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index fd9f4c2321..ecc058a048 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -1,7 +1,7 @@ --- title: Mobile Device Management overview -description: Windows 10 and Windows 11 provide an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy. -ms.date: 08/04/2022 +description: Windows provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy. +ms.date: 04/05/2023 ms.technology: itpro-manage ms.topic: article ms.prod: windows-client @@ -9,29 +9,37 @@ ms.localizationpriority: medium author: vinaypamnani-msft ms.author: vinpa manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.collection: - - highpri - - tier2 +- highpri +- tier2 --- # Mobile Device Management overview -Windows 10 and Windows 11 provide an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server. +Windows provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server. There are two parts to the Windows management component: -- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. +- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. For more information, see [Enrollment overview](mobile-device-enrollment.md). - The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT. -Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers don't need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). +Third-party MDM servers can manage Windows devices using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows users. MDM servers don't need to create or download a client to manage Windows. + +For details about the MDM protocols, see + +- [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) +- [[MS-MDM]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) ## MDM security baseline -With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros' operational needs, addressing security concerns for modern cloud-managed devices. +Microsoft provides MDM security baselines that function like the Microsoft group policy security baseline. You can easily integrate this baseline into any MDM solution to support IT pros' operational needs, addressing security concerns for modern cloud-managed devices. The MDM security baseline includes policies that cover the following areas: -- Microsoft inbox security technology (not deprecated) such as BitLocker, Windows Defender SmartScreen, and Device Guard (virtual-based security), Exploit Guard, Microsoft Defender Antivirus, and Firewall +- Microsoft inbox security technologies (not deprecated) such as BitLocker, Windows Defender SmartScreen, Exploit Guard, Microsoft Defender Antivirus, and Firewall - Restricting remote access to devices - Setting credential requirements for passwords and PINs - Restricting use of legacy technology @@ -48,26 +56,22 @@ For more information about the MDM policies defined in the MDM security baseline For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all). -## Learn about device enrollment +## Frequently Asked Questions -- [Mobile device enrollment](mobile-device-enrollment.md) -- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) -- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +### Can there be more than one MDM server to enroll and manage devices in Windows? -## Learn about device management +No. Only one MDM is allowed. -- [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md) -- [Enterprise app management](enterprise-app-management.md) -- [Mobile device management (MDM) for device updates](device-update-management.md) -- [OMA DM protocol support](oma-dm-protocol-support.md) -- [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md) -- [Server requirements for OMA DM](server-requirements-windows-mdm.md) -- [Enterprise settings, policies, and app management](windows-mdm-enterprise-settings.md) +### How do I set the maximum number of Azure Active Directory-joined devices per user? -## Learn about configuration service providers +1. Sign in to the portal as tenant admin: . +1. Navigate to **Azure AD**, then **Devices**, and then click **Device Settings**. +1. Change the number under **Maximum number of devices per user**. -- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md) -- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md) -- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) -- [Configuration service provider reference](mdm/index.yml) +### What is dmwappushsvc? + +| Entry | Description | +| --------------- | -------------------- | +| What is dmwappushsvc? | It's a Windows service that ships in Windows operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | +| What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry. | +| How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail. | diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 34dbe6281b..19f240cd0e 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -498,7 +498,7 @@ For each channel node, the user can: - Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel. - Specify an XPath query to filter events while exporting the channel event data. -For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](../diagnose-mdm-failures-in-windows-10.md). +For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Collect MDM logs](../mdm-collect-logs.md). diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 50b88f32ed..34a1970df8 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -4098,7 +4098,7 @@ If you disable or do not configure this policy, the default method will be used. > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](#changes-in-windows-10-version-1607). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify update delays for up to four weeks. Supported values are 0-4, which refers to the number of weeks to defer updates. @@ -4190,7 +4190,7 @@ Allows IT Admins to specify additional upgrade delays for up to 8 months. Suppor - If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](#changes-in-windows-10-version-1607). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. @@ -4849,7 +4849,7 @@ To validate this policy: > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](#changes-in-windows-10-version-1607). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. @@ -4951,7 +4951,7 @@ This policy is deprecated. Use Update/RequireUpdateApproval instead. > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](#changes-in-windows-10-version-1607). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train. @@ -5254,6 +5254,27 @@ If you disable or do not configure this policy, the default notification behavio +## Changes in Windows 10, version 1607 + +Here are the new policies added in Windows 10, version 1607. Use these policies for Windows 10, version 1607 devices instead of the older policies + +- ActiveHoursEnd +- ActiveHoursStart +- AllowMUUpdateService +- BranchReadinessLevel +- DeferFeatureUpdatePeriodInDays +- DeferQualityUpdatePeriodInDays +- ExcludeWUDriversInQualityUpdate +- PauseFeatureUpdates +- PauseQualityUpdates + +Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices. + +- RequireDeferUpgrade +- DeferUpgradePeriod +- DeferUpdatePeriod +- PauseDeferrals + diff --git a/windows/client-management/mobile-device-enrollment.md b/windows/client-management/mobile-device-enrollment.md index 361556d8dd..1b1fb7c688 100644 --- a/windows/client-management/mobile-device-enrollment.md +++ b/windows/client-management/mobile-device-enrollment.md @@ -1,6 +1,6 @@ --- title: Mobile device enrollment -description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. +description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -8,10 +8,13 @@ ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 08/11/2017 +ms.date: 04/05/2023 ms.collection: - - highpri - - tier2 +- highpri +- tier2 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Mobile device enrollment @@ -20,63 +23,53 @@ Mobile device enrollment is the first phase of enterprise management. The device The enrollment process includes the following steps: -1. Discovery of the enrollment endpoint - - This step provides the enrollment endpoint configuration settings. - -2. Certificate installation - - This step handles user authentication, certificate generation, and certificate installation. The installed certificates will be used in the future to manage client/server Secure Sockets Layer (SSL) mutual authentication. - -3. DM Client provisioning - - This step configures the Device Management (DM) client to connect to a Mobile Device Management (MDM) server after enrollment via DM SyncML over HTTPS (also known as Open Mobile Alliance Device Management (OMA DM) XML). +1. **Discovery of the enrollment endpoint**: This step provides the enrollment endpoint configuration settings. +1. **Certificate installation**: This step handles user authentication, certificate generation, and certificate installation. The installed certificates will be used in the future to manage client/server Secure Sockets Layer (SSL) mutual authentication. +1. **DM Client provisioning**: This step configures the Device Management (DM) client to connect to a Mobile Device Management (MDM) server after enrollment via DM SyncML over HTTPS (also known as Open Mobile Alliance Device Management (OMA DM) XML). ## Enrollment protocol -There are many changes made to the enrollment protocol to better support various scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +There are many changes made to the enrollment protocol to better support various scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see: + +- [[MS-MDM]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f). +- [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). The enrollment process involves the following steps: ### Discovery request - The discovery request is a simple HTTP post call that returns XML over HTTP. The returned XML includes the authentication URL, the management service URL, and the user credential type. + +The discovery request is a simple HTTP post call that returns XML over HTTP. The returned XML includes the authentication URL, the management service URL, and the user credential type. ### Certificate enrollment policy -The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in \[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](/openspecs/windows_protocols/ms-xcep/08ec4475-32c2-457d-8c27-5a176660a210) + +The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in [MS-XCEP]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). + +For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](/openspecs/windows_protocols/ms-xcep/08ec4475-32c2-457d-8c27-5a176660a210) ### Certificate enrollment + The certificate enrollment is an implementation of the MS-WSTEP protocol. ### Management configuration + The server sends provisioning XML that contains a server certificate (for SSL server authentication), a client certificate issued by enterprise CA, DM client bootstrap information (for the client to communicate with the management server), an enterprise application token (for the user to install enterprise applications), and the link to download the Company Hub application. The following topics describe the end-to-end enrollment process using various authentication methods: -- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) -- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) +- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) +- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) -> [!Note] +> [!NOTE] > As a best practice, don't use hardcoded server-side checks on values such as: -> - User agent string -> - Any fixed URIs that are passed during enrollment -> - Specific formatting of any value unless otherwise noted, such as the format of the device ID. +> +> - User agent string +> - Any fixed URIs that are passed during enrollment +> - Specific formatting of any value unless otherwise noted, such as the format of the device ID. ## Enrollment support for domain-joined devices -Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device. - -## Disable MDM enrollments - -In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. With the GP editor being used, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. - -![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png) - -Here's the corresponding registry key: - -HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM - -Value: DisableRegistration +Devices that are joined to an on-premises Active Directory can enroll into MDM via **Settings** > **Access work or school**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device. ## Enrollment scenarios not supported @@ -85,6 +78,15 @@ The following scenarios don't allow MDM enrollments: - Built-in administrator accounts on Windows desktop can't enroll into MDM. - Standard users can't enroll in MDM. Only admin users can enroll. +## Disable MDM enrollments + +IT admin can disable MDM enrollments for domain-joined PCs using the **Disable MDM Enrollment** group policy. + +Group Policy Path: **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. +Corresponding registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM\DisableRegistration (REG_DWORD)` + +![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png) + ## Enrollment error messages The enrollment server can decline enrollment messages using the SOAP Fault format. Errors created can be sent as follows: @@ -112,51 +114,19 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma ``` -**Sample error messages** +**Sample error messages**: -- **Namespace**: `s:` - - **Subcode**: MessageFormat - - **Error**: MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR - - **Description**: Invalid message from the Mobile Device Management (MDM) server. - - **HRESULT**: 80180001 +| Namespace | Subcode | Error | Description | HRESULT | +|-----------|----------------------|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|----------| +| s: | MessageFormat | MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR | Invalid message from the Mobile Device Management (MDM) server. | 80180001 | +| s: | Authentication | MENROLL_E_DEVICE_AUTHENTICATION_ERROR | The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator. | 80180002 | +| s: | Authorization | MENROLL_E_DEVICE_AUTHORIZATION_ERROR | The user isn't authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator. | 80180003 | +| s: | CertificateRequest | MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR | The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator. | 80180004 | +| s: | EnrollmentServer | MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR | The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator. | 80180005 | +| a: | InternalServiceFault | MENROLL_E_DEVICE_INTERNALSERVICE_ERROR | There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator. | 80180006 | +| a: | InvalidSecurity | MENROLL_E_DEVICE_INVALIDSECURITY_ERROR | The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator. | 80180007 | -- **Namespace**: `s:` - - **Subcode**: Authentication - - **Error**: MENROLL_E_DEVICE_AUTHENTICATION_ERROR - - **Description**: The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator. - - **HRESULT**: 80180002 - -- **Namespace**: `s:` - - **Subcode**: Authorization - - **Error**: MENROLL_E_DEVICE_AUTHORIZATION_ERROR - - **Description**: The user isn't authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator. - - **HRESULT**: 80180003 - -- **Namespace**: `s:` - - **Subcode**: CertificateRequest - - **Error**: MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR - - **Description**: The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator. - - **HRESULT**: 80180004 - -- **Namespace**: `s:` - - **Subcode**: EnrollmentServer - - **Error**: MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR - - **Description**: The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator. - - **HRESULT**: 80180005 - -- **Namespace**: `a:` - - **Subcode**: InternalServiceFault - - **Error**: MENROLL_E_DEVICE_INTERNALSERVICE_ERROR - - **Description**: There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator. - - **HRESULT**: 80180006 - -- **Namespace**: `a:` - - **Subcode**: InvalidSecurity - - **Error**: MENROLL_E_DEVICE_INVALIDSECURITY_ERROR - - **Description**: The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator. - - **HRESULT**: 80180007 - -In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here's an example: +SOAP format also includes `deviceenrollmentserviceerror` element. Here's an example: ```xml @@ -188,48 +158,23 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. ``` -**Sample error messages** +**Sample error messages**: -- **Subcode**: DeviceCapReached - - **Error**: MENROLL_E_DEVICECAPREACHED - - **Description**: The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error. - - **HRESULT**: 80180013 - -- **Subcode**: DeviceNotSupported - - **Error**: MENROLL_E_DEVICENOTSUPPORTED - - **Description**: The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device. - - **HRESULT**: 80180014 - -- **Subcode**: NotSupported - - **Error**: MENROLL_E_NOT_SUPPORTED - - **Description**: Mobile Device Management (MDM) is generally not supported for this device. - - **HRESULT**: 80180015 - -- **Subcode**: NotEligibleToRenew - - **Error**: MENROLL_E_NOTELIGIBLETORENEW - - **Description**: The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device. - - **HRESULT**: 80180016 - -- **Subcode**: InMaintenance - - **Error**: MENROLL_E_INMAINTENANCE - - **Description**: The Mobile Device Management (MDM) server states your account is in maintenance, try again later. - - **HRESULT**: 80180017 - -- **Subcode**: UserLicense - - **Error**: MENROLL_E_USER_LICENSE - - **Description**: There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator. - - **HRESULT**: 80180018 - -- **Subcode**: InvalidEnrollmentData - - **Error**: MENROLL_E_ENROLLMENTDATAINVALID - - **Description**: The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly. - - **HRESULT**: 80180019 +| Subcode | Error | Description | HRESULT | +|-----------------------|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| +| DeviceCapReached | MENROLL_E_DEVICECAPREACHED | The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error. | 80180013 | +| DeviceNotSupported | MENROLL_E_DEVICENOTSUPPORTED | The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device. | 80180014 | +| NotSupported | MENROLL_E_NOT_SUPPORTED | Mobile Device Management (MDM) is generally not supported for this device. | 80180015 | +| NotEligibleToRenew | MENROLL_E_NOTELIGIBLETORENEW | The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device. | 80180016 | +| InMaintenance | MENROLL_E_INMAINTENANCE | The Mobile Device Management (MDM) server states your account is in maintenance, try again later. | 80180017 | +| UserLicense | MENROLL_E_USER_LICENSE | There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator. | 80180018 | +| InvalidEnrollmentData | MENROLL_E_ENROLLMENTDATAINVALID | The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly. | 80180019 | TraceID is a freeform text node that is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment. ## Related topics -- [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) -- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) -- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +- [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) +- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) +- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) +- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md index aa0fa503b7..194c51ac66 100644 --- a/windows/client-management/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md @@ -1,9 +1,6 @@ --- title: What's new in MDM enrollment and management -description: Discover what's new and breaking changes in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. -MS-HAID: - - 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview' - - 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management' +description: Discover what's new and breaking changes in mobile device management (MDM) enrollment and management experience across all Windows devices. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -12,14 +9,17 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.localizationpriority: medium -ms.date: 09/16/2022 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # What's new in mobile device enrollment and management -This article provides information about what's new in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 and Windows 11 devices. This article also provides details about the breaking changes and known issues and frequently asked questions. +This article provides information about what's new in mobile device management (MDM) enrollment and management experience across all Windows devices. This article also provides details about the breaking changes and known issues and frequently asked questions. -For details about Microsoft mobile device management protocols for Windows 10 and Windows 11, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +For details about Microsoft mobile device management protocols for Windows, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). ## What's new in MDM for Windows 11, version 22H2 @@ -52,7 +52,7 @@ For details about Microsoft mobile device management protocols for Windows 10 an | New or updated article | Description | |-----|-----| -| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • ApplicationManagement/BlockNonAdminUserInstall
  • Bluetooth/SetMinimumEncryptionKeySize
  • DeliveryOptimization/DOCacheHostSource
  • DeliveryOptimization/DOMaxBackgroundDownloadBandwidth
  • DeliveryOptimization/DOMaxForegroundDownloadBandwidth
  • Education/AllowGraphingCalculator
  • TextInput/ConfigureJapaneseIMEVersion
  • TextInput/ConfigureSimplifiedChineseIMEVersion
  • TextInput/ConfigureTraditionalChineseIMEVersion

    Updated the following policy in Windows 10, version 2004:
  • DeliveryOptimization/DOCacheHost

    Deprecated the following policies in Windows 10, version 2004:
  • DeliveryOptimization/DOMaxDownloadBandwidth
  • DeliveryOptimization/DOMaxUploadBandwidth
  • DeliveryOptimization/DOPercentageMaxDownloadBandwidth | +| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • ApplicationManagement/BlockNonAdminUserInstall
  • Bluetooth/SetMinimumEncryptionKeySize
  • DeliveryOptimization/DOCacheHostSource
  • DeliveryOptimization/DOMaxBackgroundDownloadBandwidth
  • DeliveryOptimization/DOMaxForegroundDownloadBandwidth
  • Education/AllowGraphingCalculator
  • TextInput/ConfigureJapaneseIMEVersion
  • TextInput/ConfigureSimplifiedChineseIMEVersion
  • TextInput/ConfigureTraditionalChineseIMEVersion

    Updated the following policy:
  • DeliveryOptimization/DOCacheHost

    Deprecated the following policies:
  • DeliveryOptimization/DOMaxDownloadBandwidth
  • DeliveryOptimization/DOMaxUploadBandwidth
  • DeliveryOptimization/DOPercentageMaxDownloadBandwidth | | [DevDetail CSP](mdm/devdetail-csp.md) | Added the following new node:
  • Ext/Microsoft/DNSComputerName | | [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md) | Added the following node:
  • IsStub | | [SUPL CSP](mdm/supl-csp.md) | Added the following node:
  • FullVersion | @@ -71,7 +71,7 @@ For details about Microsoft mobile device management protocols for Windows 10 an | [Policy CSP - Audit](mdm/policy-csp-audit.md) | Added the new Audit policy CSP. | | [ApplicationControl CSP](mdm/applicationcontrol-csp.md) | Added the new CSP. | | [Defender CSP](mdm/defender-csp.md) | Added the following new nodes:
  • Health/TamperProtectionEnabled
  • Health/IsVirtualMachine
  • Configuration
  • Configuration/TamperProtection
  • Configuration/EnableFileHashComputation | -| [DiagnosticLog CSP](mdm/diagnosticlog-csp.md)
    [DiagnosticLog DDF](mdm/diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903.
    Added the new 1.4 version of the DDF.
    Added the following new nodes:
  • Policy
  • Policy/Channels
  • Policy/Channels/ChannelName
  • Policy/Channels/ChannelName/MaximumFileSize
  • Policy/Channels/ChannelName/SDDL
  • Policy/Channels/ChannelName/ActionWhenFull
  • Policy/Channels/ChannelName/Enabled
  • DiagnosticArchive
  • DiagnosticArchive/ArchiveDefinition
  • DiagnosticArchive/ArchiveResults | +| [DiagnosticLog CSP](mdm/diagnosticlog-csp.md)
    [DiagnosticLog DDF](mdm/diagnosticlog-ddf.md) | Added version 1.4 of the CSP.
    Added the new 1.4 version of the DDF.
    Added the following new nodes:
  • Policy
  • Policy/Channels
  • Policy/Channels/ChannelName
  • Policy/Channels/ChannelName/MaximumFileSize
  • Policy/Channels/ChannelName/SDDL
  • Policy/Channels/ChannelName/ActionWhenFull
  • Policy/Channels/ChannelName/Enabled
  • DiagnosticArchive
  • DiagnosticArchive/ArchiveDefinition
  • DiagnosticArchive/ArchiveResults | | [EnrollmentStatusTracking CSP](mdm/enrollmentstatustracking-csp.md) | Added the new CSP. | | [PassportForWork CSP](mdm/passportforwork-csp.md) | Added the following new nodes:
  • SecurityKey
  • SecurityKey/UseSecurityKeyForSignin | @@ -80,7 +80,7 @@ For details about Microsoft mobile device management protocols for Windows 10 an | New or updated article | Description | |-----|-----| |[Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • ApplicationManagement/LaunchAppAfterLogOn
  • ApplicationManagement/ScheduleForceRestartForUpdateFailures
  • Authentication/EnableFastFirstSignIn (Preview mode only
  • Authentication/EnableWebSignIn (Preview mode only
  • Authentication/PreferredAadTenantDomainName
  • Browser/AllowFullScreenMode
  • Browser/AllowPrelaunch
  • Browser/AllowPrinting
  • Browser/AllowSavingHistory
  • Browser/AllowSideloadingOfExtensions
  • Browser/AllowTabPreloading
  • Browser/AllowWebContentOnNewTabPage
  • Browser/ConfigureFavoritesBar
  • Browser/ConfigureHomeButton
  • Browser/ConfigureKioskMode
  • Browser/ConfigureKioskResetAfterIdleTimeout
  • Browser/ConfigureOpenMicrosoftEdgeWith
  • Browser/ConfigureTelemetryForMicrosoft365Analytics
  • Browser/PreventCertErrorOverrides
  • Browser/SetHomeButtonURL
  • Browser/SetNewTabPageURL
  • Browser/UnlockHomeButton
  • Defender/CheckForSignaturesBeforeRunningScan
  • Defender/DisableCatchupFullScan
  • Defender/DisableCatchupQuickScan
  • Defender/EnableLowCPUPriority
  • Defender/SignatureUpdateFallbackOrder
  • Defender/SignatureUpdateFileSharesSources
  • DeviceGuard/ConfigureSystemGuardLaunch
  • DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
  • DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
  • DeviceInstallation/PreventDeviceMetadataFromNetwork
  • DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
  • DmaGuard/DeviceEnumerationPolicy
  • Experience/AllowClipboardHistory
  • Experience/DoNotSyncBrowserSettings
  • Experience/PreventUsersFromTurningOnBrowserSyncing
  • Kerberos/UPNNameHints
  • Privacy/AllowCrossDeviceClipboard
  • Privacy/DisablePrivacyExperience
  • Privacy/UploadUserActivities
  • Security/RecoveryEnvironmentAuthentication
  • System/AllowDeviceNameInDiagnosticData
  • System/ConfigureMicrosoft365UploadEndpoint
  • System/DisableDeviceDelete
  • System/DisableDiagnosticDataViewer
  • Storage/RemovableDiskDenyWriteAccess
  • TaskManager/AllowEndTask
  • Update/DisableWUfBSafeguards
  • Update/EngagedRestartDeadlineForFeatureUpdates
  • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
  • Update/EngagedRestartTransitionScheduleForFeatureUpdates
  • Update/SetDisablePauseUXAccess
  • Update/SetDisableUXWUAccess
  • WindowsDefenderSecurityCenter/DisableClearTpmButton
  • WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
  • WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
  • WindowsLogon/DontDisplayNetworkSelectionUI | -| [BitLocker CSP](mdm/bitlocker-csp.md) | Added a new node AllowStandardUserEncryption.
  • Added support for Windows 10 Pro. | +| [BitLocker CSP](mdm/bitlocker-csp.md) | Added a new node AllowStandardUserEncryption.
  • Added support for Pro edition. | | [Defender CSP](mdm/defender-csp.md) | Added a new node Health/ProductStatus. | | [DevDetail CSP](mdm/devdetail-csp.md) | Added a new node SMBIOSSerialNumber. | | [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node. | @@ -93,256 +93,3 @@ For details about Microsoft mobile device management protocols for Windows 10 an | [WindowsDefenderApplicationGuard CSP](mdm/windowsdefenderapplicationguard-csp.md) | Added new settings. | | [WindowsLicensing CSP](mdm/windowslicensing-csp.md) | Added S mode settings and SyncML examples. | | [Win32CompatibilityAppraiser CSP](mdm/win32compatibilityappraiser-csp.md) | New CSP. | - -## Breaking changes and known issues - -### Get command inside an atomic command isn't supported - -In Windows 10 and Windows 11, a Get command inside an atomic command isn't supported. - -### Apps installed using WMI classes are not removed - -Applications installed using WMI classes aren't removed when the MDM account is removed from device. - -### Passing CDATA in SyncML does not work - -Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work in Windows 10 and Windows 11. - -### SSL settings in IIS server for SCEP must be set to "Ignore" - -The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10 and Windows 11. - -![ssl settings.](images/ssl-settings.png) - -### MDM enrollment fails on the Windows device when traffic is going through proxy - -When the Windows device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that doesn't require authentication or remove the proxy setting from the connected network. - -### Server-initiated unenrollment failure - -Server-initiated unenrollment for a device enrolled by adding a work account silently fails to leave the MDM account active. MDM policies and resources are still in place and the client can continue to sync with the server. - -Remote server unenrollment is disabled for mobile devices enrolled via Azure Active Directory Join. It returns an error message to the server. The only way to remove enrollment for a mobile device that is Azure AD joined is by remotely wiping the device. - -### Certificates causing issues with Wi-Fi and VPN - -In Windows 10 and Windows 11, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This dual installation may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We're working to fix this issue. - -### Version information for Windows 11 - -The software version information from **DevDetail/Ext/Microsoft/OSPlatform** doesn't match the version in **Settings** under **System/About**. - -### Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 and Windows 11 - -In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned doesn't have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate. - -Enterprises deploying certificate-based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as: - -- The user may be prompted to select the certificate. -- The wrong certificate may get auto selected and cause an authentication failure. - -A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication. - -EAP XML must be updated with relevant information for your environment. This task can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: - -- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile. -- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field. - -For information about EAP Settings, see . - -For information about generating an EAP XML, see [EAP configuration](mdm/eap-configuration.md). - -For more information about extended key usage, see . - -For information about adding extended key usage (EKU) to a certificate, see . - -The following list describes the prerequisites for a certificate to be used with EAP: - -- The certificate must have at least one of the following EKU (Extended Key Usage) properties: - - Client Authentication. - - As defined by RFC 5280, this property is a well-defined OID with Value 1.3.6.1.5.5.7.3.2. - - Any Purpose. - - An EKU, defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering. - - All Purpose. - - As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes. -- The user or the computer certificate on the client chains to a trusted root CA. -- The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy. -- The user or the computer certificate doesn't fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server. -- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user. - -The following XML sample explains the properties for the EAP TLS XML including certificate filtering. - -> [!NOTE] -> For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements. - -```xml - - - 13 - - - 0 - 0 - 0 - - - - - - - 13 - - - - - true - - - - - - - false - - - false - false - false - - - - - - ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff - - - - - - - - - - - ContostoITEKU - - 1.3.6.1.4.1.311.42.1.15 - - - - - - - - - ContostoITEKU - - - - - Example1 - - - true - - - - - - - - - - - -``` - -> [!NOTE] -> The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd** - -Alternatively you can use the following procedure to create an EAP Configuration XML. - -1. Follow steps 1 through 7 in [EAP configuration](mdm/eap-configuration.md). - -2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.). - - :::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png"::: - - > [!NOTE] - > For PEAP or TTLS, select the appropriate method and continue following this procedure. - -3. Click the **Properties** button underneath the drop-down menu. - -4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. - - :::image type="content" alt-text="smart card or other certificate properties window." source="images/certfiltering2.png"::: - -5. In the **Configure Certificate Selection** menu, adjust the filters as needed. - - :::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png"::: - -6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box. - -7. Close the rasphone dialog box. - -8. Continue following the procedure in [EAP configuration](mdm/eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering. - -> [!NOTE] -> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)). - -### MDM client will immediately check in with the MDM server after client renews WNS channel URI - -After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. - -### User provisioning failure in Azure Active Directory-joined Windows 10 and Windows 11 devices - -In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. - -### Requirements to note for VPN certificates also used for Kerberos Authentication - -If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that don't meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. - -### Device management agent for the push-button reset is not working - -The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service. - -## Frequently Asked Questions - -### Can there be more than one MDM server to enroll and manage devices in Windows 10 or 11? - -No. Only one MDM is allowed. - -### How do I set the maximum number of Azure Active Directory-joined devices per user? - -1. Sign in to the portal as tenant admin: https://portal.azure.com. -2. Select Active Directory on the left pane. -3. Choose your tenant. -4. Select **Configure**. -5. Set quota to unlimited. - - :::image type="content" alt-text="aad maximum joined devices." source="images/faq-max-devices.png"::: - -### What is dmwappushsvc? - -Entry | Description ---------------- | -------------------- -What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | -What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry.| -How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.| diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md deleted file mode 100644 index 0adc1b4483..0000000000 --- a/windows/client-management/new-policies-for-windows-10.md +++ /dev/null @@ -1,517 +0,0 @@ ---- -title: New policies for Windows 10 (Windows 10) -description: Learn how Windows 10 includes new policies for management, like Group Policy settings for the Windows system and components. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.prod: windows-client -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/15/2021 -ms.topic: reference -ms.technology: itpro-manage ---- - -# New policies for Windows 10 - - -**Applies to** - -- Windows 10 -- Windows 11 - -As of September 2020 This page will no longer be updated. To find the Group Polices that ship in each version of Windows, refer to the Group Policy Settings Reference Spreadsheet. You can always locate the most recent version of the Spreadsheet by searching the Internet for "Windows Version + Group Policy Settings Reference". - -For example, searching for "Windows 2004" + "Group Policy Settings Reference Spreadsheet" in a web browser will return to you the link to download the Group Policy Settings Reference Spreadsheet for Windows 2004. - -The latest [group policy reference for Windows 10 version 2004 is available here](https://www.microsoft.com/download/101451). - -## New Group Policy settings in Windows 10, version 1903 - -The following Group Policy settings were added in Windows 10, version 1903: - -**System** - -- System\Service Control Manager Settings\Security Settings\Enable svchost.exe mitigation options -- System\Storage Sense\Allow Storage Sense -- System\Storage Sense\Allow Storage Sense Temporary Files cleanup -- System\Storage Sense\Configure Storage Sense -- System\Storage Sense\Configure Storage Sense Cloud content dehydration threshold -- System\Storage Sense\Configure Storage Sense Recycle Bin cleanup threshold -- System\Storage Sense\Configure Storage Sense Downloads cleanup threshold -- System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Troubleshooting:Allow users to access recommended troubleshooting for known problems - - -**Windows Components** - -- Windows Components\App Privacy\Let Windows apps activate with voice -- Windows Components\App Privacy\Let Windows apps activate with voice while the system is locked -- Windows Components\Data Collection and Preview Builds\Allow commercial data pipeline -- Windows Components\Data Collection and Preview Builds\Configure collection of browsing data for Desktop Analytics -- Windows Components\Data Collection and Preview Builds\Configure diagnostic data upload endpoint for Desktop Analytics -- Windows Components\Delivery Optimization\Delay background download Cache Server fallback (in seconds) -- Windows Components\Delivery Optimization\Delay Foreground download Cache Server fallback (in seconds) -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use WDDM graphics display driver for Remote Desktop Connections -- Windows Components\Windows Logon Options\Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot - -## New Group Policy settings in Windows 10, version 1809 - -The following Group Policy settings were added in Windows 10, version 1809: - -**Start Menu and Taskbar** - -- Start Menu and Taskbar\Force Start to be either full screen size or menu size -- Start Menu and Taskbar\Remove "Recently added" list from Start Menu -- Start Menu and Taskbar\Remove All Programs list from the Start menu -- Start Menu and Taskbar\Remove frequent programs list from the Start Menu - -**System** - -- System\Group Policy\Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services -- System\Group Policy\Configure Applications preference extension policy processing -- System\Group Policy\Configure Data Sources preference extension policy processing -- System\Group Policy\Configure Devices preference extension policy processing -- System\Group Policy\Configure Drive Maps preference extension policy processing -- System\Group Policy\Configure Environment preference extension policy processing -- System\Group Policy\Configure Files preference extension policy processing -- System\Group Policy\Configure Folder Options preference extension policy processing -- System\Group Policy\Configure Folders preference extension policy processing -- System\Group Policy\Configure Ini Files preference extension policy processing -- System\Group Policy\Configure Internet Settings preference extension policy processing -- System\Group Policy\Configure Local Users and Groups preference extension policy processing -- System\Group Policy\Configure Network Options preference extension policy processing -- System\Group Policy\Configure Network Shares preference extension policy processing -- System\Group Policy\Configure Power Options preference extension policy processing -- System\Group Policy\Configure Printers preference extension policy processing -- System\Group Policy\Configure Regional Options preference extension policy processing -- System\Group Policy\Configure Registry preference extension policy processing -- System\Group Policy\Configure Scheduled Tasks preference extension policy processing -- System\Group Policy\Configure Services preference extension policy processing -- System\Group Policy\Configure Shortcuts preference extension policy processing -- System\Group Policy\Configure Start Menu preference extension policy processing -- System\Group Policy\Logging and tracing\Configure Applications preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Data Sources preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Devices preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Drive Maps preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Environment preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Files preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Folder Options preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Folders preference logging and tracing -- System\Group Policy\Logging and tracing\Configure INI Files preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Internet Settings preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Local Users and Groups preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Network Options preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Network Shares preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Power Options preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Printers preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Regional Options preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Registry preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Scheduled Tasks preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Services preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Shortcuts preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Start Menu preference logging and tracing -- System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection -- System\OS Policies\Allow Clipboard History -- System\OS Policies\Allow Clipboard synchronization across devices - -**Windows Components** - -- Windows Components\Data Collection and Preview Builds\Configure Microsoft 365 Update Readiness upload endpoint -- Windows Components\Data Collection and Preview Builds\Disable deleting diagnostic data -- Windows Components\Data Collection and Preview Builds\Disable diagnostic data viewer -- Windows Components\Delivery Optimization\[Reserved for future use] Cache Server Hostname -- Windows Components\Location and Sensors\Windows Location Provider\Turn off Windows Location Provider -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\DFS Management -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\File Server Resource Manager -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Share and Storage Management -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Storage Manager for SANs -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\DFS Management Extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\Disk Management Extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\File Server Resource Manager Extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\Share and Storage Management Extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\Storage Manager for SANS Extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy Management Editor -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy Starter GPO Editor -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Application snap-ins -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Applications preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Control Panel Settings (Computers) -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Control Panel Settings (Users) -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Data Sources preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Devices preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Drive Maps preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Environment preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Files preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Folder Options preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Folders preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Ini Files preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Internet Settings preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Local Users and Groups preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Network Options preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Network Shares preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Power Options preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Preferences tab -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Printers preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Regional Options preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Registry preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Scheduled Tasks preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Services preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Shortcuts preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Start Menu preference extension -- Windows Components\OOBE\Don't launch privacy settings experience on user logon -- Windows Components\OOBE\Don't launch privacy settings experience on user logon -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Do not use Remote Desktop Session Host server IP address when virtual IP address is not available -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Select the network adapter to be used for Remote Desktop IP Virtualization -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Turn off Windows Installer RDS Compatibility -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Turn on Remote Desktop IP Virtualization -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow remote start of unlisted programs -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Turn off Fair Share CPU Scheduling -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Allow time zone redirection -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow Clipboard redirection -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection\Redirect only the default client printer -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection\Redirect only the default client printer -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker\Use RD Connection Broker load balancing -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Allow desktop composition for remote desktop sessions -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Always show desktop on connection -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Do not allow font smoothing -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Remove remote desktop wallpaper -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for logoff of RemoteApp sessions -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for logoff of RemoteApp sessions -- Windows Components\Microsoft Defender Antivirus\Configure detection for potentially unwanted applications -- Windows Components\Microsoft Defender Antivirus\Scan\Configure low CPU priority for scheduled scans -- Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard -- Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard -- Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user’s device -- Windows Components\Windows Defender Application Guard\Configure additional sources for untrusted files in Windows Defender Application Guard -- Windows Components\Windows Hello for Business\Use Windows Hello for Business certificates as smart card certificates -- Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes -- Windows Components\Windows Media Player\Prevent Automatic Updates -- Windows Components\Windows Media Player\Prevent CD and DVD Media Information Retrieval -- Windows Components\Windows Media Player\Prevent Desktop Shortcut Creation -- Windows Components\Windows Media Player\Prevent Media Sharing -- Windows Components\Windows Media Player\Prevent Music File Media Information Retrieval -- Windows Components\Windows Media Player\Prevent Quick Launch Toolbar Shortcut Creation -- Windows Components\Windows Media Player\Prevent Radio Station Preset Retrieval -- Windows Components\Windows Media Player\Prevent Video Smoothing -- Windows Components\Windows Media Player\Networking\Configure HTTP Proxy -- Windows Components\Windows Media Player\Networking\Configure MMS Proxy -- Windows Components\Windows Media Player\Networking\Configure Network Buffering -- Windows Components\Windows Media Player\Networking\Configure RTSP Proxy -- Windows Components\Windows Media Player\Networking\Hide Network Tab -- Windows Components\Windows Media Player\Networking\Streaming Media Protocols -- Windows Components\Windows Media Player\Playback\Allow Screen Saver -- Windows Components\Windows Media Player\Playback\Prevent Codec Download -- Windows Components\Windows Media Player\User Interface\Do Not Show Anchor -- Windows Components\Windows Media Player\User Interface\Hide Privacy Tab -- Windows Components\Windows Media Player\User Interface\Hide Security Tab -- Windows Components\Windows Media Player\User Interface\Set and Lock Skin -- Windows Components\Windows Security\Account protection\Hide the Account protection area -- Windows Components\Windows Security\App and browser protection\Hide the App and browser protection area -- Windows Components\Windows Security\App and browser protection\Prevent users from modifying settings -- Windows Components\Windows Security\Device performance and health\Hide the Device performance and health area -- Windows Components\Windows Security\Device security\Disable the Clear TPM button -- Windows Components\Windows Security\Device security\Hide the Device security area -- Windows Components\Windows Security\Device security\Hide the Secure boot area -- Windows Components\Windows Security\Device security\Hide the Security processor (TPM) troubleshooter page -- Windows Components\Windows Security\Device security\Hide the TPM Firmware Update recommendation -- Windows Components\Windows Security\Enterprise Customization\Configure customized contact information -- Windows Components\Windows Security\Enterprise Customization\Configure customized notifications -- Windows Components\Windows Security\Enterprise Customization\Specify contact company name -- Windows Components\Windows Security\Enterprise Customization\Specify contact email address or Email ID -- Windows Components\Windows Security\Enterprise Customization\Specify contact phone number or Skype ID -- Windows Components\Windows Security\Enterprise Customization\Specify contact website -- Windows Components\Windows Security\Family options\Hide the Family options area -- Windows Components\Windows Security\Firewall and network protection\Hide the Firewall and network protection area -- Windows Components\Windows Security\Notifications\Hide all notifications -- Windows Components\Windows Security\Notifications\Hide non-critical notifications -- Windows Components\Windows Security\Systray\Hide Windows Security Systray -- Windows Components\Windows Security\Virus and threat protection\Hide the Ransomware data recovery area -- Windows Components\Windows Security\Virus and threat protection\Hide the Virus and threat protection area -- Windows Components\Windows Update\Display options for update notifications -- Windows Components\Windows Update\Remove access to "Pause updates" feature - -**Control Panel** - -- Control Panel\Settings Page Visibility -- Control Panel\Regional and Language Options\Allow users to enable online speech recognition services - -**Network** - -- Network\Windows Connection Manager\Enable Windows to soft-disconnect a computer from a network - - -## New Group Policy settings in Windows 10, version 1803 - -The following Group Policy settings were added in Windows 10, version 1803: - -**System** - -- System\Credentials Delegation\Encryption Oracle Remediation -- System\Group Policy\Phone-PC linking on this device -- System\OS Policies\Allow upload of User Activities - -**Windows Components** - -- Windows Components\App Privacy\Let Windows apps access an eye tracker device -- Windows Components\Cloud Content\Turn off Windows Spotlight on Settings -- Windows Components\Data Collection and Preview Builds\Allow device name to be sent in Windows diagnostic data -- Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface -- Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in change notifications -- Windows Components\Delivery Optimization\Maximum Background Download Bandwidth (percentage) -- Windows Components\Delivery Optimization\Maximum Foreground Download Bandwidth (percentage) -- Windows Components\Delivery Optimization\Select the source of Group IDs -- Windows Components\Delivery Optimization\Delay background download from http (in secs) -- Windows Components\Delivery Optimization\Delay Foreground download from http (in secs) -- Windows Components\Delivery Optimization\Select a method to restrict Peer Selection -- Windows Components\Delivery Optimization\Set Business Hours to Limit Background Download Bandwidth -- Windows Components\Delivery Optimization\Set Business Hours to Limit Foreground Download Bandwidth -- Windows Components\IME\Turn on Live Sticker -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow video capture redirection -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use hardware graphics adapters for all Remote Desktop Services sessions -- Windows Components\Search\Allow Cortana Page in OOBE on an Azure Active Directory account -- Windows Components\Store\Disable all apps from Microsoft Store -- Windows Components\Text Input\Allow Uninstallation of Language Features -- Windows Components\Text Input\Improve inking and typing recognition -- Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard -- Windows Components\Windows Defender Security Center\Account protection\Hide the Account protection area -- Windows Components\Windows Defender Security Center\Device security\Hide the Device security area -- Windows Components\Windows Defender Security Center\Device security\Hide the Security processor (TPM) troubleshooter page -- Windows Components\Windows Defender Security Center\Device security\Hide the Secure boot area -- Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Ransomware data recovery area - - -## New Group Policy settings in Windows 10, version 1709 - -The following Group Policy settings were added in Windows 10, version 1709: - -**Control Panel** - -- Control Panel\Allow Online Tips - -**Network** - -- Network\Network Connectivity Status Indicator\Specify global DNS -- Network\WWAN Service\WWAN UI Settings\Set Per-App Cellular Access UI Visibility -- Network\WWAN Service\Cellular Data Access\Let Windows apps access cellular data - -**System** - -- System\Device Health Attestation Service\Enable Device Health Attestation Monitoring and Reporting -- System\OS Policies\Enables Activity Feed -- System\OS Policies\Allow publishing of User Activities -- System\Power Management\Power Throttling Settings\Turn off Power Throttling -- System\Storage Health\Allow downloading updates to the Disk Failure Prediction Model -- System\Trusted Platform Module Services\Configure the system to clear the TPM if it is not in a ready state. - -**Windows Components** - -- Windows Components\App Privacy\Let Windows apps communicate with unpaired devices -- Windows Components\Data Collection and Preview Builds\Limit Enhanced diagnostic data to the minimum required by Windows Analytics -- Windows Components\Handwriting\Handwriting Panel Default Mode Docked -- Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing\Hide the button (next to the New Tab button) that opens Microsoft Edge -- Windows Components\MDM\Auto MDM Enrollment with Azure Active Directory Token -- Windows Components\Messaging\Allow Message Service Cloud Sync -- Windows Components\Microsoft Edge\Always show the Books Library in Microsoft Edge -- Windows Components\Microsoft Edge\Provision Favorites -- Windows Components\Microsoft Edge\Prevent changes to Favorites on Microsoft Edge -- Windows Components\Microsoft FIDO Authentication\Enable usage of FIDO devices to sign on -- Windows Components\OneDrive\Prevent OneDrive from generating network traffic until the user signs in to OneDrive -- Windows Components\Push To Install\Turn off Push To Install service -- Windows Components\Search\Allow Cloud Search -- Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard -- Windows Components\Windows Defender Application Guard\Allow auditing events in Windows Defender Application Guard -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Network Protection\Prevent users and apps from accessing dangerous websites -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure Controlled folder access -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Exclude files and paths from Attack Surface Reduction Rules -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure allowed applications -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure protected folders -- Windows Components\Windows Defender Exploit Guard\Exploit Protection\Use a common set of exploit protection settings -- Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Virus and threat protection area -- Windows Components\Windows Defender Security Center\Firewall and network protection\Hide the Firewall and network protection area -- Windows Components\Windows Defender Security Center\App and browser protection\Hide the App and browser protection area -- Windows Components\Windows Defender Security Center\App and browser protection\Prevent users from modifying settings -- Windows Components\Windows Defender Security Center\Device performance and health\Hide the Device performance and health area -- Windows Components\Windows Defender Security Center\Family options\Hide the Family options area -- Windows Components\Windows Defender Security Center\Notifications\Hide all notifications -- Windows Components\Windows Defender Security Center\Notifications\Hide non-critical notifications -- Windows Components\Windows Defender Security Center\Enterprise Customization\Configure customized notifications -- Windows Components\Windows Defender Security Center\Enterprise Customization\Configure customized contact information -- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact company name -- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact phone number or Skype ID -- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact email address or Email ID -- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact website -- Windows Components\Windows Hello for Business\Configure device unlock factors -- Windows Components\Windows Hello for Business\Configure dynamic lock factors -- Windows Components\Windows Hello for Business\Turn off smart card emulation -- Windows Components\Windows Hello for Business\Allow enumeration of emulated smart card for all users -- Windows Components\Windows Update\Allow updates to be downloaded automatically over metered connections -- Windows Components\Windows Update\Do not allow update deferral policies to cause scans against Windows Update - - -## New Group Policy settings in Windows 10, version 1703 - -The following Group Policy settings were added in Windows 10, version 1703: - -**Control Panel** - -- Control Panel\Add or Remove Programs\Specify default category for Add New Programs -- Control Panel\Add or Remove Programs\Hide the "Add a program from CD-ROM or floppy disk" option -- Control Panel\Personalization\Prevent changing lock screen and logon image - -**Network** - -- Network\Background Intelligent Transfer Service (BITS)\Limit the maximum network bandwidth for BITS background transfers -- Network\Background Intelligent Transfer Service (BITS)\Allow BITS Peercaching -- Network\Background Intelligent Transfer Service (BITS)\Limit the age of files in the BITS Peercache -- Network\Background Intelligent Transfer Service (BITS)\Limit the BITS Peercache size -- Network\DNS Client\Allow NetBT queries for fully qualified domain names -- Network\Network Connections\Prohibit access to properties of components of a LAN connection -- Network\Network Connections\Ability to Enable/Disable a LAN connection -- Network\Offline Files\Turn on economical application of administratively assigned Offline Files -- Network\Offline Files\Configure slow-link mode -- Network\Offline Files\Enable Transparent Caching -- Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Site-Local Clouds\Set the Seed Server -- Network\Microsoft Peer-to-Peer Networking Services\Disable password strength validation for Peer Grouping - -**System** - -- System\App-V\Streaming\Location Provider -- System\App-V\Streaming\Certificate Filter For Client SSL -- System\Credentials Delegation\Allow delegating default credentials with NTLM-only server authentication -- System\Ctrl+Alt+Del Options\Remove Change Password -- System\Ctrl+Alt+Del Options\Remove Lock Computer -- System\Ctrl+Alt+Del Options\Remove Task Manager -- System\Ctrl+Alt+Del Options\Remove Logoff -- System\Device Installation\Do not send a Windows error report when a generic driver is installed on a device -- System\Device Installation\Prevent Windows from sending an error report when a device driver requests additional software during installation -- System\Locale Services\Disallow user override of locale settings -- System\Logon\Do not process the legacy run list -- System\Logon\Always use custom logon background -- System\Logon\Do not display network selection UI -- System\Logon\Block user from showing account details on sign-in -- System\Logon\Turn off app notifications on the lock screen -- System\User Profiles\Establish timeout value for dialog boxes -- System\Enable Windows NTP Server\Windows Time Service\Enable Windows NTP Client - -**Windows Components** - -- Windows Components\ActiveX Installer Service\Approved Installation Sites for ActiveX Controls -- Windows Components\ActiveX Installer Service\Establish ActiveX installation policy for sites in Trusted zones -- Windows Components\Application Compatibility\Turn off Application Compatibility Engine -- Windows Components\Application Compatibility\Turn off Program Compatibility Assistant -- Windows Components\Application Compatibility\Turn off Steps Recorder -- Windows Components\Attachment Manager\Notify antivirus programs when opening attachments -- Windows Components\Biometrics\Allow the use of biometrics -- Windows Components\NetMeeting\Disable Whiteboard -- Windows Components\Data Collection and Preview Builds\Configure the Commercial ID -- Windows Components\File Explorer\Display the menu bar in File Explorer -- Windows Components\File History\Turn off File History -- Windows Components\Internet Explorer\Internet Control Panel\Advanced Page\Play animations in web pages -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Turn on Cross-Site Scripting Filter -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Turn on Cross-Site Scripting Filter -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Accelerators\Restrict Accelerators to those deployed through Group Policy -- Windows Components\Internet Explorer\Compatibility View\Turn on Internet Explorer 7 Standards Mode -- Windows Components\Location and Sensors\Windows Location Provider\Turn off Windows Location Provider -- Windows Components\Microsoft Account\Block all consumer Microsoft account user authentication -- Windows Components\Microsoft Edge\Configure Autofill -- Windows Components\Microsoft Edge\Allow Developer Tools -- Windows Components\Microsoft Edge\Configure Do Not Track -- Windows Components\Microsoft Edge\Allow InPrivate browsing -- Windows Components\Microsoft Edge\Configure Password Manager -- Windows Components\Microsoft Edge\Configure Pop-up Blocker -- Windows Components\Microsoft Edge\Allow search engine customization -- Windows Components\Microsoft Edge\Configure search suggestions in Address bar -- Windows Components\Microsoft Edge\Set default search engine -- Windows Components\Microsoft Edge\Configure additional search engines -- Windows Components\Microsoft Edge\Configure the Enterprise Mode Site List -- Windows Components\Microsoft Edge\Prevent using Localhost IP address for WebRTC -- Windows Components\Microsoft Edge\Configure Start pages -- Windows Components\Microsoft Edge\Disable lockdown of Start pages -- Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites -- Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\.Net Framework Configuration -- Windows Components\Windows Installer\Prohibit use of Restart Manager -- Windows Components\Desktop Gadgets\Restrict unpacking and installation of gadgets that are not digitally signed. -- Windows Components\Desktop Gadgets\Turn Off user-installed desktop gadgets -- Windows Components\OneDrive\Prevent the usage of OneDrive for file storage -- Windows Components\OneDrive\Prevent the usage of OneDrive for file storage on Windows 8.1 -- Windows Components\OneDrive\Prevent OneDrive files from syncing over metered connections -- Windows Components\OneDrive\Save documents to OneDrive by default -- Windows Components\Smart Card\Allow certificates with no extended key usage certificate attribute -- Windows Components\Smart Card\Turn on certificate propagation from smart card -- Windows Components\Tablet PC\Pen UX Behaviors\Prevent flicks -- Windows Components\BitLocker Drive Encryption\Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507]) -- Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on behavior monitoring -- Windows Components\Microsoft Defender Antivirus\Signature Updates\Define file shares for downloading definition updates -- Windows Components\Microsoft Defender Antivirus\Signature Updates\Turn on scan after signature update -- Windows Components\File Explorer\Display confirmation dialog when deleting files -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Allow OpenSearch queries in File Explorer -- Windows Components\Windows Update\Remove access to use all Windows Update features -- Windows Components\Windows Update\Configure Automatic Updates -- Windows Components\Windows Update\Specify intranet Microsoft update service location -- Windows Components\Windows Update\Automatic Updates detection frequency -- Windows Components\Windows Update\Allow non-administrators to receive update notifications -- Windows Components\Windows Update\Allow Automatic Updates immediate installation -- Windows Components\Windows Update\Turn on recommended updates via Automatic Updates -- Windows Components\Shutdown Options\Turn off legacy remote shutdown interface - - -For a spreadsheet of Group Policy settings included in Windows 10 and Windows Server 2016, see [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=613627). - -## New MDM policies - -Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education include previous Windows Phone settings, and new or enhanced settings for Windows 10, such as: - -- Defender (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education only) - -- Enhanced Bluetooth policies - -- Passport and Hello - -- Device update - -- Hardware-based device health attestation - -- [Kiosk mode](/windows/configuration/set-up-a-device-for-anyone-to-use), start screen, start menu layout - -- Security - -- [VPN](/windows/security/identity-protection/vpn/vpn-profile-options) and enterprise Wi-Fi management - -- Certificate management - -- Windows Tips - -- Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu - -Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](./mdm/policy-configuration-service-provider.md). - -If you use Microsoft Intune for MDM, you can [configure custom policies](/mem/intune/configuration/custom-settings-configure) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](/mem/intune/configuration/custom-settings-windows-10). - -No new [Exchange ActiveSync policies](/exchange/mobile-device-mailbox-policies-exchange-2013-help). For more information, see the [ActiveSync configuration service provider](./mdm/activesync-csp.md) technical reference. - -## Related topics - -[Group Policy Settings Reference Spreadsheet Windows 1803](https://www.microsoft.com/download/details.aspx?id=56946) - -[Manage corporate devices](manage-corporate-devices.md) - -[Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) diff --git a/windows/client-management/oma-dm-protocol-support.md b/windows/client-management/oma-dm-protocol-support.md index d87cd9db0c..521d15c082 100644 --- a/windows/client-management/oma-dm-protocol-support.md +++ b/windows/client-management/oma-dm-protocol-support.md @@ -1,7 +1,7 @@ --- title: OMA DM protocol support description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,9 +9,11 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- - # OMA DM protocol support The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf). @@ -30,10 +32,8 @@ The following table shows the OMA DM standards that Windows uses. |Nodes|In the OMA DM tree, the following rules apply for the node name:
  • "." can be part of the node name.
  • The node name can't be empty.
  • The node name can't be only the asterisk (`*`) character.| |Provisioning Files|Provisioning XML must be well formed and follow the definition in [SyncML Representation Protocol](https://www.openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf).

    If an XML element that isn't a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
    **Note**
    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
    | |WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This dual-format support is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://www.openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.| -|Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.| +|Handling of large objects|In Windows 10, client support for uploading large objects to the server was added.| - - ## OMA DM protocol common elements Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1_1_2-20030613-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). @@ -51,7 +51,7 @@ Common elements are used by other OMA DM element types. The following table list |MsgID|Specifies a unique identifier for an OMA DM session message.| |MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.| |RespURI|Specifies the URI that the recipient must use when sending a response to this message.| -|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.
    **Note**
    If the server doesn't notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows 10, the device client returns 2 bytes.
    | +|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.
    **Note**
    If the server doesn't notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows, the device client returns 2 bytes.
    | |Source|Specifies the message source address.| |SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.| |Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.| @@ -68,26 +68,27 @@ A short DM session can be summarized as: A server sends a Get command to a client device to retrieve the contents of one of the nodes of the management tree. The device performs the operation and responds with a Result command that contains the requested contents. A DM session can be divided into two phases: -1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table. -2. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase 2 ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table. + +1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table. +1. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase 2 ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table. The following information shows the sequence of events during a typical DM session. -1. DM client is invoked to call back to the management server

    Enterprise scenario – The device task schedule invokes the DM client. +1. DM client is invoked to call back to the management server

    Enterprise scenario - The device task schedule invokes the DM client. The MO server sends a server trigger message to invoke the DM client. The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.

    Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS. -2. The device sends a message, over an IP connection, to initiate the session. +1. The device sends a message, over an IP connection, to initiate the session. This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level. -3. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any. +1. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any. -4. The device responds to server management commands. This message includes the results of performing the specified device management operations. +1. The device responds to server management commands. This message includes the results of performing the specified device management operations. -5. The DM server terminates the session or sends another command. The DM session ends, or Step 4 is repeated. +1. The DM server terminates the session or sends another command. The DM session ends, or Step 4 is repeated. The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/). @@ -97,7 +98,6 @@ If a request includes credentials and the response code to the request is 200, t For more information about Basic or MD5 client authentication, MD5 server authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM_Security-V1_2_1-20080617-A), authentication response code handling and step-by-step samples in OMA Device Management Protocol specification (OMA-TS-DM_Protocol-V1_2_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2_1-20080617-A/). - ## User targeted vs. Device targeted configuration For CSPs and policies that support per user configuration, the MDM server can send user targeted setting values to the device that a MDM-enrolled user is actively logged into. The device notifies the server of the sign-in status via a device alert (1224) with Alert type = in DM pkg\#1. @@ -130,8 +130,6 @@ The following LocURL shows a per user CSP node configuration: `./user/vendor/MSF The following LocURL shows a per device CSP node configuration: `./device/vendor/MSFT/RemoteWipe/DoWipe` - - ## SyncML response status codes When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you're likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification. diff --git a/windows/client-management/on-premise-authentication-device-enrollment.md b/windows/client-management/on-premise-authentication-device-enrollment.md index daf5a628d7..8e72627af0 100644 --- a/windows/client-management/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/on-premise-authentication-device-enrollment.md @@ -1,65 +1,61 @@ --- title: On-premises authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # On-premises authentication device enrollment -This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). -## In this topic - -- [On-premises authentication device enrollment](#on-premises-authentication-device-enrollment) - - [In this topic](#in-this-topic) - - [Discovery service](#discovery-service) - - [Enrollment policy web service](#enrollment-policy-web-service) - - [Enrollment web service](#enrollment-web-service) - -For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). +> [!NOTE] +> For the list of enrollment scenarios not supported in Windows, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). ## Discovery service The discovery web service provides the configuration information necessary for a user to enroll a device with a management service. The service is a restful web service over HTTPS (server authentication only). > [!NOTE] -> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. +> The administrator of the discovery service must create a host with the address `enterpriseenrollment..com`. -The device’s automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc +The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain **enterpriseenrollment** to the domain of the email address, and by appending the path `/EnrollmentServer/Discovery.svc`. For example, if the email address is `sample@contoso.com`, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`. The first request is a standard HTTP GET request. The following example shows a request via HTTP GET to the discovery server given user@contoso.com as the email address. -``` +```http Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc Content Type: unknown Header Byte Count: 153 Body Byte Count: 0 ``` -``` +```http GET /EnrollmentServer/Discovery.svc HTTP/1.1 User-Agent: Windows Phone 8 Enrollment Client Host: EnterpriseEnrollment.contoso.com Pragma: no-cache ``` -``` +```http Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc Content Type: text/html Header Byte Count: 248 Body Byte Count: 0 ``` -``` +```http HTTP/1.1 200 OK Connection: Keep-Alive Pragma: no-cache @@ -68,18 +64,18 @@ Content-Type: text/html Content-Length: 0 ``` -After the device gets a response from the server, the device sends a POST request to enterpriseenrollment.*domain\_name*/EnrollmentServer/Discovery.svc. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to enterpriseenrollment.*domain\_name* to the enrollment server. +After the device gets a response from the server, the device sends a POST request to `enterpriseenrollment./EnrollmentServer/Discovery.svc`. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to `enterpriseenrollment.` enrollment server. The following logic is applied: -1. The device first tries HTTPS. If the server cert is not trusted by the device, the HTTPS fails. -2. If that fails, the device tries HTTP to see whether it is redirected: - - If the device is not redirected, it prompts the user for the server address. - - If the device is redirected, it prompts the user to allow the redirect. +1. The device first tries HTTPS. If the server cert is not trusted by the device, the HTTPS fails. +1. If that fails, the device tries HTTP to see whether it is redirected: + - If the device is not redirected, it prompts the user for the server address. + - If the device is redirected, it prompts the user to allow the redirect. The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address: -``` +```http https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc ``` @@ -124,9 +120,9 @@ If a domain and user name are provided by the user instead of an email address, The discovery response is in the XML format and includes the following fields: -- Enrollment service URL (EnrollmentServiceUrl) – Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. -- Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. -- Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. +- Enrollment service URL (EnrollmentServiceUrl) - Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. +- Authentication policy (AuthPolicy) - Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. +- Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. > [!NOTE] > The HTTP server response must not be chunked; it must be sent as one message. @@ -171,42 +167,42 @@ For the OnPremise authentication policy, the UsernameToken in GetPolicies contai The following example shows the policy web service request. ```xml - - - - http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies - - urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 - - http://www.w3.org/2005/08/addressing/anonymous - - - https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - - - - user@contoso.com - mypassword - - - - - - - - - - - - - + + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies + + urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + + user@contoso.com + mypassword + + + + + + + + + + + + + ``` After the user is authenticated, the web service retrieves the certificate template that the user should enroll with and creates enrollment policies based on the certificate template properties. A sample of the response can be found on MSDN. @@ -301,7 +297,7 @@ This web service implements the MS-WSTEP protocol. It processes the RequestSecur The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on match the certificate template), the client can enroll successfully. -The RequestSecurityToken will use a custom TokenType (http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section. +The RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken`), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section. The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. @@ -311,11 +307,11 @@ The RST may also specify a number of AdditionalContext items, such as DeviceType The following example shows the enrollment web service request for OnPremise authentication. ```xml - @@ -344,8 +340,8 @@ The following example shows the enrollment web service request for OnPremise aut http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue - DER format PKCS#10 certificate request in Base64 encoding Insterted Here @@ -383,7 +379,6 @@ The following example shows the enrollment web service request for OnPremise aut 7BA748C8-703E-4DF2-A74A-92984117346A - True @@ -396,8 +391,8 @@ The following example shows the enrollment web service request for OnPremise aut The following example shows the enrollment web service response. ```xml - @@ -413,14 +408,15 @@ The following example shows the enrollment web service response. - http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken - - + + B64EncodedSampleBinarySecurityToken - + 0 @@ -440,7 +436,7 @@ The following example shows the enrollment web service response. The following example shows the encoded provisioning XML. -``` +```xml @@ -452,17 +448,17 @@ The following example shows the encoded provisioning XML. - + - - + + - + @@ -505,7 +501,7 @@ The following example shows the encoded provisioning XML. - + @@ -513,7 +509,7 @@ The following example shows the encoded provisioning XML. - ``` diff --git a/windows/client-management/push-notification-windows-mdm.md b/windows/client-management/push-notification-windows-mdm.md index 712795c303..b1094d670f 100644 --- a/windows/client-management/push-notification-windows-mdm.md +++ b/windows/client-management/push-notification-windows-mdm.md @@ -1,84 +1,58 @@ --- title: Push notification support for device management description: The DMClient CSP supports the ability to configure push-initiated device management sessions. -MS-HAID: - - 'p\_phdevicemgmt.push\_notification\_support\_for\_device\_management' - - 'p\_phDeviceMgmt.push\_notification\_windows\_mdm' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 09/22/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- - # Push notification support for device management -The [DMClient CSP](mdm/dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/previous-versions/windows/apps/hh913756(v=win.10)), a management server can request a device to establish a management session with the server through a push notification. A device is provided with a PFN for an application. This provision results in the device getting configured, to support a push to it by the management server. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting). +The [DMClient CSP](mdm/dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/windows/apps/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview), a management server can request a device to establish a management session with the server through a push notification. A device is provided with a PFN for an application. This provision results in the device getting configured, to support a push to it by the management server. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting). To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a management session with a device, it can utilize the token and the device ChannelURI, and begin communicating with the device. For more information about how to get push credentials (SID and client secret) and PFN to use in WNS, see [Get WNS credentials and PFN for MDM push notification](#get-wns-credentials-and-pfn-for-mdm-push-notification). -Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview (Windows Runtime apps)](/previous-versions/windows/apps/jj676791(v=win.10)). +Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview](/windows/apps/design/shell/tiles-and-notifications/raw-notification-overview). The following restrictions are related to push notifications and WNS: -- Push for device management uses raw push notifications. This restriction means that these raw push notifications don't support or utilize push notification payloads. -- Receipt of push notifications is sensitive to the Battery Saver and Data Sense settings on the device. For example, if the battery drops below certain thresholds, the persistent connection of the device with WNS will be terminated. Additionally, if the user is utilizing Data Sense and has exceeded their monthly allotment of data, the persistent connection of the device with WNS will also be terminated. -- A ChannelURI provided to the management server by the device is only valid for 30 days. The device automatically renews the ChannelURI after 15 days and triggers a management session on successful renewal of the ChannelURI. It's strongly recommended that, during every management session, the management server queries the ChannelURI value to ensure that it has received the latest value. This will ensure that the management server won't attempt to use a ChannelURI that has expired. -- Push isn't a replacement for having a polling schedule. -- WNS reserves the right to block push notifications to your PFN if improper use of notifications is detected. Any devices being managed using this PFN will cease to have push initiated device management support. -- On Windows 10, version 1511 as well as Windows 8 and 8.1, MDM Push may fail to renew the WNS Push channel automatically causing it to expire. It can also potentially hang when setting the PFN for the channel. +- Push for device management uses raw push notifications. This restriction means that these raw push notifications don't support or utilize push notification payloads. +- Receipt of push notifications is sensitive to the Battery Saver and Data Sense settings on the device. For example, if the battery drops below certain thresholds, the persistent connection of the device with WNS will be terminated. Additionally, if the user is utilizing Data Sense and has exceeded their monthly allotment of data, the persistent connection of the device with WNS will also be terminated. +- A ChannelURI provided to the management server by the device is only valid for 30 days. The device automatically renews the ChannelURI after 15 days and triggers a management session on successful renewal of the ChannelURI. It's strongly recommended that, during every management session, the management server queries the ChannelURI value to ensure that it has received the latest value. This will ensure that the management server won't attempt to use a ChannelURI that has expired. +- Push isn't a replacement for having a polling schedule. +- WNS reserves the right to block push notifications to your PFN if improper use of notifications is detected. Any devices being managed using this PFN will cease to have push initiated device management support. - To work around this issue, when a 410 is returned by the WNS server when attempting to send a Push notification to the device the PFN should be set during the next sync session. To prevent the push channel from expiring on older builds, servers can reset the PFN before the channel expires (~30 days). If they’re already running Windows 10, there should be an update available that they can install that should fix the issue. +- In Windows 10, version 1511, we use the following retry logic for the DMClient: -- On Windows 10, version 1511, we use the following retry logic for the DMClient: - - If ExpiryTime is greater than 15 days, a schedule is set for when 15 days are left. - - If ExpiryTime is between now and 15 days, a schedule set for 4 +/- 1 hours from now. - - If ExpiryTime has passed, a schedule is set for 1 day +/- 4 hours from now. - - -- On Windows 10, version 1607, we check for network connectivity before retrying. We don't check for internet connectivity. If network connectivity isn't available, we'll skip the retry and set schedule for 4+/-1 hours to try again. + - If ExpiryTime is greater than 15 days, a schedule is set for when 15 days are left. + - If ExpiryTime is between now and 15 days, a schedule set for 4 +/- 1 hours from now. + - If ExpiryTime has passed, a schedule is set for 1 day +/- 4 hours from now. +- In Windows 10, version 1607 and later, we check for network connectivity before retrying. We don't check for internet connectivity. If network connectivity isn't available, we'll skip the retry and set schedule for 4+/-1 hours to try again. ## Get WNS credentials and PFN for MDM push notification To get a PFN and WNS credentials, you must create a Microsoft Store app. -1. Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account. +1. Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account. +1. Select **Apps and games** under Workspaces. Create a **New product** and select **MSIX or PWA app**. +1. Reserve an app name. +1. Select **Product Identity** under Product Management to view the **Package Family Name (PFN)** of your app. +1. Select **WNS/MPNS** under Product Management. + 1. Click the **App Registration portal** link. A new window opens showing your app in the Azure Portal. + 1. In the Application Registration Portal page, you'll see the properties for the app that you created, such as: + - Application ID + - Application Secrets + - Redirect URIs - ![mdm push notification1.](images/push-notification1.png) -2. Create a new app. - - ![mdm push notification2.](images/push-notification2.png) -3. Reserve an app name. - - ![mdm push notification3.](images/push-notification3.png) -4. Click **Services**. - - ![mdm push notification4.](images/push-notification4.png) -5. Click **Push notifications**. - - ![mdm push notification5.](images/push-notification5.png) -6. Click **Live Services site**. A new window opens for the **Application Registration Portal** page. - - ![mdm push notification6.](images/push-notification6.png) -7. In the **Application Registration Portal** page, you'll see the properties for the app that you created, such as: - - Application ID - - Application Secrets - - Microsoft Store Package SID, Application Identity, and Publisher. - - ![mdm push notification7.](images/push-notification7.png) -8. Click **Save**. -9. Close the **Application Registration Portal** window and go back to the Windows Dev Center Dashboard. -10. Select your app from the list on the left. -11. From the left nav, expand **App management** and then click **App identity**. - - ![mdm push notification10.](images/push-notification10.png) -12. In the **App identity** page, you'll see the **Package Family Name (PFN)** of your app. - -  +For more information see, [Tutorial: Send notifications to Universal Windows Platform apps using Azure Notification Hubs](/azure/notification-hubs/notification-hubs-windows-store-dotnet-get-started-wns-push-notification). diff --git a/windows/client-management/register-your-free-azure-active-directory-subscription.md b/windows/client-management/register-your-free-azure-active-directory-subscription.md deleted file mode 100644 index 2d326ac269..0000000000 --- a/windows/client-management/register-your-free-azure-active-directory-subscription.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Register your free Azure Active Directory subscription -description: Paid subscribers to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, have a free subscription to Azure AD. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 ---- - -# Register your free Azure Active Directory subscription - -If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. Here's a step-by-step guide to register your free Azure AD subscription using an Office 365 Premium Business subscription. - -> **Note**  If you don't have any Microsoft service that comes with a free Azure AD subscription, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. - -  -## Register your free Azure Active Directory subscription - -1. Sign in to the Microsoft 365 admin center at using your organization's account. - - ![screen to register azure-ad](images/azure-ad-add-tenant10.png) - -2. On the **Home** page, click on the Admin tools icon. - - ![screen for registering azure-ad](images/azure-ad-add-tenant11.png) - -3. On the **Admin center** page, under Admin Centers on the left, click **Azure Active Directory**. You're taken to the Azure Active Directory portal. - - ![Azure-AD-updated.](https://user-images.githubusercontent.com/41186174/71594506-e4845300-2b40-11ea-9a08-c21c824e12a4.png) - - - -  - - - - - - diff --git a/windows/client-management/server-requirements-windows-mdm.md b/windows/client-management/server-requirements-windows-mdm.md index c0a307103f..30f628af50 100644 --- a/windows/client-management/server-requirements-windows-mdm.md +++ b/windows/client-management/server-requirements-windows-mdm.md @@ -1,9 +1,6 @@ --- title: Server requirements for using OMA DM to manage Windows devices description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM. -MS-HAID: - - 'p\_phDeviceMgmt.server\_requirements\_for\_oma\_dm' - - 'p\_phDeviceMgmt.server\_requirements\_windows\_mdm' ms.reviewer: manager: aaroncz ms.author: vinpa @@ -12,29 +9,25 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Server requirements for using OMA DM to manage Windows devices The following list shows the general server requirements for using OMA DM to manage Windows devices: -- The OMA DM server must support the OMA DM v1.1.2 or later protocol. +- The OMA DM server must support the OMA DM v1.1.2 or later protocol. -- Secure Sockets Layer (SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate isn't issued by a commercial Certification Authority whose root certificate is pre-installed in the device, you must provision the enterprise root certificate in the device's Root store. +- Secure Sockets Layer (SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate isn't issued by a commercial Certification Authority whose root certificate is pre-installed in the device, you must provision the enterprise root certificate in the device's Root store. -- To authenticate the client at the application level, you must use either Basic or MD5 client authentication. +- To authenticate the client at the application level, you must use either Basic or MD5 client authentication. -- The server MD5 nonce must be renewed in each DM session. The DM client sends the new server nonce for the next session to the server over the Status element in every DM session. +- The server MD5 nonce must be renewed in each DM session. The DM client sends the new server nonce for the next session to the server over the Status element in every DM session. -- The MD5 binary nonce is sent over XML B64 encoded format, but the octal form of the binary data should be used when the service calculates the hash. +- The MD5 binary nonce is sent over XML B64 encoded format, but the octal form of the binary data should be used when the service calculates the hash. For more information about Basic or MD5 client authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM\_Security-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900). -- The server must support HTTPS. - -  - - - - - +- The server must support HTTPS. diff --git a/windows/client-management/structure-of-oma-dm-provisioning-files.md b/windows/client-management/structure-of-oma-dm-provisioning-files.md index 5e5008f0eb..b3724368d3 100644 --- a/windows/client-management/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/structure-of-oma-dm-provisioning-files.md @@ -9,6 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Structure of OMA DM provisioning files @@ -65,17 +68,16 @@ The following example shows the general structure of the XML document sent by th SyncHdr includes the following information: -- Document Type Definition (DTD) and protocol version numbers +- Document Type Definition (DTD) and protocol version numbers -- Session and message identifiers. Each message in the same DM session must have a different MsgID. +- Session and message identifiers. Each message in the same DM session must have a different MsgID. -- Message source and destination Uniform Resource Identifiers (URIs) +- Message source and destination Uniform Resource Identifiers (URIs) -- Credentials for authentication +- Credentials for authentication This information is used to by the client device to properly manage the DM session. - **Code example** The following example shows the header component of a DM message. In this case, OMA DM version 1.2 is used as an example only. @@ -83,7 +85,7 @@ The following example shows the header component of a DM message. In this case, > [!NOTE] > The `` node value for the `` element in the SyncHdr of the device-generated DM package should be the same as the value of ./DevInfo/DevID. For more information about DevID, see [DevInfo configuration service provider](mdm/devinfo-csp.md). -  + ```xml diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index 74837fc166..5b714f4154 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -5,85 +5,68 @@ items: - name: Mobile device management (MDM) expanded: true items: - - name: Overview + - name: MDM overview + expanded: true items: - - name: MDM overview + - name: What is MDM? href: mdm-overview.md - - name: What's new in MDM enrollment and management + - name: What's new in MDM href: new-in-windows-mdm-enrollment-management.md - - name: Azure Active Directory integration with MDM - href: azure-active-directory-integration-with-mdm.md + - name: Azure Active Directory integration + href: azure-active-directory-integration-with-mdm.md + - name: Transitioning to modern management + href: manage-windows-10-in-your-organization-modern-management.md + - name: Push notification support + href: push-notification-windows-mdm.md + - name: MAM support + href: implement-server-side-mobile-application-management.md + - name: Enroll devices + expanded: false items: - - name: Add an Azure AD tenant and Azure AD subscription - href: add-an-azure-ad-tenant-and-azure-ad-subscription.md - - name: Register your free Azure Active Directory subscription - href: register-your-free-azure-active-directory-subscription.md - - name: Device enrollment - href: mobile-device-enrollment.md - items: - - name: MDM enrollment of Windows devices + - name: Enrollment overview + href: mobile-device-enrollment.md + - name: Manual enrollment href: mdm-enrollment-of-windows-devices.md - - name: "Azure AD and Microsoft Intune: Automatic MDM enrollment" + - name: Automatic enrollment href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md - - name: Enroll a Windows 10 device automatically using Group Policy + - name: Group policy enrollment href: enroll-a-windows-10-device-automatically-using-group-policy.md - name: Bulk enrollment href: bulk-enrollment-using-windows-provisioning-tool.md - - name: Federated authentication device enrollment + - name: Federated authentication enrollment href: federated-authentication-device-enrollment.md - - name: Certificate authentication device enrollment + - name: Certificate authentication enrollment href: certificate-authentication-device-enrollment.md - - name: On-premises authentication device enrollment + - name: On-premises authentication enrollment href: on-premise-authentication-device-enrollment.md - - name: Disconnecting a device from MDM (unenrollment) - href: disconnecting-from-mdm-unenrollment.md - - name: Enterprise settings, policies, and app management - href: windows-mdm-enterprise-settings.md + - name: Manage devices + expanded: false items: - - name: Enterprise app management + - name: Manage settings + href: windows-mdm-enterprise-settings.md + - name: Manage apps href: enterprise-app-management.md - - name: Deploy and configure App-V apps using MDM - href: appv-deploy-and-config.md - - name: Mobile device management (MDM) for device updates + - name: Manage updates href: device-update-management.md - name: Secured-Core PC Configuration Lock href: config-lock.md - name: Certificate renewal href: certificate-renewal-windows-mdm.md - - name: Diagnose MDM failures in Windows 10 - href: diagnose-mdm-failures-in-windows-10.md - - name: Push notification support for device management - href: push-notification-windows-mdm.md - - name: MAM support for device management - href: implement-server-side-mobile-application-management.md + - name: Diagnose MDM failures + expanded: false + items: + - name: Collect MDM logs + href: mdm-collect-logs.md + - name: Diagnose MDM enrollment + href: mdm-diagnose-enrollment.md + - name: Known issues + href: mdm-known-issues.md + - name: Unenroll devices + href: disconnecting-from-mdm-unenrollment.md - name: Configuration service provider reference href: mdm/index.yml - name: Client management tools and settings - items: - - name: Windows Tools/Administrative Tools - href: administrative-tools-in-windows-10.md - - name: Use Quick Assist to help users - href: quick-assist.md - - name: Connect to remote Azure Active Directory-joined PC - href: connect-to-remote-aadj-pc.md - - name: Create mandatory user profiles - href: mandatory-user-profile.md - - name: New policies for Windows 10 - href: new-policies-for-windows-10.md - - name: Windows 10 default media removal policy - href: change-default-removal-policy-external-storage-media.md - - name: Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education - href: group-policies-for-enterprise-and-education-editions.md - - name: Manage Device Installation with Group Policy - href: manage-device-installation-with-group-policy.md - - name: Manage the Settings app with Group Policy - href: manage-settings-app-with-group-policy.md - - name: What version of Windows am I running - href: windows-version-search.md - - name: Transitioning to modern management - href: manage-windows-10-in-your-organization-modern-management.md - - name: Windows libraries - href: windows-libraries.md + expanded: true + href: client-tools/toc.yml - name: Troubleshoot Windows clients href: /troubleshoot/windows-client/welcome-windows-client - diff --git a/windows/client-management/understanding-admx-backed-policies.md b/windows/client-management/understanding-admx-backed-policies.md index 344d0eb5a7..dd0861e26c 100644 --- a/windows/client-management/understanding-admx-backed-policies.md +++ b/windows/client-management/understanding-admx-backed-policies.md @@ -1,28 +1,32 @@ --- title: Understanding ADMX policies -description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices. +description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices. ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 03/23/2020 -ms.reviewer: +ms.reviewer: manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Understanding ADMX policies Due to increased simplicity and the ease with which devices can be targeted, enterprise businesses are finding it increasingly advantageous to move their PC management to a cloud-based device management solution. Unfortunately, the modern Windows PC device-management solutions lack the critical policy and app settings configuration capabilities that are supported in a traditional PC management solution. -Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support expanded to allow access of selected set of Group Policy administrative templates (ADMX policies) for Windows PCs via the Policy configuration service provider (CSP). This expanded access ensures that enterprises can keep their devices compliant and prevent the risk on compromising security of their devices managed through the cloud. +Mobile Device Management (MDM) policy configuration support expanded to allow access of selected set of Group Policy administrative templates (ADMX policies) for Windows PCs via the Policy configuration service provider (CSP). This expanded access ensures that enterprises can keep their devices compliant and prevent the risk on compromising security of their devices managed through the cloud. -## Background +## Background In addition to standard MDM policies, the Policy CSP can also handle selected set of ADMX policies. In an ADMX policy, an administrative template contains the metadata of a Windows Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753471(v=ws.10)). ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe settings of applications, which are separate from the OS and can usually be downloaded and installed on a PC. Depending on the specific category of the settings that they control (OS or application), the administrative template settings are found in the following two locations in the Local Group Policy Editor: + - OS settings: Computer Configuration/Administrative Templates - Application settings: User Configuration/Administrative Templates @@ -33,26 +37,27 @@ An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policy Windows maps the name and category path of a Group Policy to an MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX policies supported by MDM, see [Policy CSP - ADMX policies](mdm/policy-configuration-service-provider.md). - + -## ADMX files and the Group Policy Editor +## ADMX files and the Group Policy Editor To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrator must use a UI, such as the Group Policy Editor (gpedit.msc), to gather the necessary data. The MDM ISV console UI determines how to gather the needed Group Policy data from the IT administrator. ADMX Group Policies are organized in a hierarchy and can have a scope of machine, user, or both. The Group Policy example in the next section uses a machine-wide Group Policy named "Publishing Server 2 Settings." When this Group Policy is selected, its available states are **Not Configured**, **Enabled**, and **Disabled**. The ADMX file that the MDM ISV uses to determine what UI to display to the IT administrator is the same ADMX file that the client uses for the policy definition. The ADMX file is processed either by the OS at build time or set by the client at OS runtime. In either case, the client and the MDM ISV must be synchronized with the ADMX policy definitions. Each ADMX file corresponds to a Group Policy category and typically contains several policy definitions, each of which represents a single Group Policy. For example, the policy definition for the "Publishing Server 2 Settings" is contained in the appv.admx file, which holds the policy definitions for the Microsoft Application Virtualization (App-V) Group Policy category. Group Policy option button setting: + - If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur: - - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data. - - The MDM client stack receives this data, which causes the Policy CSP to update the device's registry per the ADMX policy definition. + - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data. + - The MDM client stack receives this data, which causes the Policy CSP to update the device's registry per the ADMX policy definition. - If **Disabled** is selected and you click **Apply**, the following events occur: - - The MDM ISV server sets up a Replace SyncML command with a payload set to ``. - - The MDM client stack receives this command, which causes the Policy CSP to either delete the device's registry settings, set the registry keys, or both, per the state change directed by the ADMX policy definition. + - The MDM ISV server sets up a Replace SyncML command with a payload set to ``. + - The MDM client stack receives this command, which causes the Policy CSP to either delete the device's registry settings, set the registry keys, or both, per the state change directed by the ADMX policy definition. - If **Not Configured** is selected and you click **Apply**, the following events occur: - - MDM ISV server sets up a Delete SyncML command. - - The MDM client stack receives this command, which causes the Policy CSP to delete the device's registry settings per the ADMX policy definition. + - MDM ISV server sets up a Delete SyncML command. + - The MDM client stack receives this command, which causes the Policy CSP to delete the device's registry settings per the ADMX policy definition. The following diagram shows the main display for the Group Policy Editor. @@ -72,25 +77,26 @@ For more information about the Group Policy description format, see [Administrat For example, if you search for the string, "Publishing_Server2_Name_Prompt" in both the *Enabling a policy* example and its corresponding ADMX policy definition in the appv.admx file, you'll find the following occurrences: Enabling a policy example: + ```XML `` ``` Appv.admx file: + ```XML ``` - -## ADMX policy examples +## ADMX policy examples The following SyncML examples describe how to set an MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. The functionality that this Group Policy manages isn't important; it's used to illustrate only how an MDM ISV can set an ADMX policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. The payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +### Enabling a policy -### Enabling a policy +**Payload**: -**Payload** ```XML @@ -104,7 +110,9 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -**Request SyncML** + +**Request SyncML**: + ```XML @@ -138,7 +146,8 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -**Response SyncML** +**Response SyncML**: + ```XML 2 @@ -149,14 +158,16 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -### Disabling a policy +### Disabling a policy + +**Payload**: -**Payload** ```XML ``` -**Request SyncML** +**Request SyncML**: + ```XML @@ -177,9 +188,10 @@ The following SyncML examples describe how to set an MDM policy that is defined -'''' +``` + +**Response SyncML**: -**Response SyncML** ```XML 2 @@ -190,13 +202,13 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -### Setting a policy to not configured +### Setting a policy to not configured -**Payload** +**Payload**: (None) -**Request SyncML** +**Request SyncML**: ```XML @@ -215,7 +227,7 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -**Response SyncML** +**Response SyncML**: ```XML @@ -227,35 +239,31 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -## Sample SyncML for various ADMX elements +## Sample SyncML for various ADMX elements This section describes sample SyncML for the various ADMX elements like Text, Multi-Text, Decimal, Boolean, and List. -### How a Group Policy policy category path and name are mapped to an MDM area and policy name +### How a Group Policy policy category path and name are mapped to an MDM area and policy name -Below is the internal OS mapping of a Group Policy to an MDM area and name. This mapping is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store.  ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User. +Below is the internal OS mapping of a Group Policy to an MDM area and name. This mapping is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store. ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User. `./[Device|User]/Vendor/MSFT/Policy/Config/[config|result]//` The data payload of the SyncML needs to be encoded so that it doesn't conflict with the boilerplate SyncML XML tags. Use this online tool for encoding and decoding the policy data [Coder's Toolbox](https://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii). -**Snippet of manifest for AppVirtualization area:** +**Snippet of manifest for AppVirtualization area**: ```XML -. -. -. + ... -. -. -. + ... ``` The **LocURI** for the above GP policy is: @@ -264,11 +272,11 @@ The **LocURI** for the above GP policy is: To construct SyncML for your area/policy using the samples below, you need to update the **data id** and the **value** in the `` section of the SyncML. The items prefixed with an '&' character are the escape characters needed and can be retained as shown. -### Text Element +### Text Element The `text` element simply corresponds to a string and correspondingly to an edit box in a policy panel display by gpedit.msc. The string is stored in the registry of type REG_SZ. -**ADMX file: inetres.admx** +**ADMX file: inetres.admx**: ```XML @@ -280,7 +288,7 @@ The `text` element simply corresponds to a string and correspondingly to an edit ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -304,9 +312,9 @@ The `text` element simply corresponds to a string and correspondingly to an edit ``` -### MultiText Element +### MultiText Element -The `multiText` element simply corresponds to a REG_MULTISZ registry string and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc.  It's expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: ``) +The `multiText` element simply corresponds to a REG_MULTISZ registry string and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. It's expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: ``) ```XML ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -345,7 +353,7 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and ``` -### List Element (and its variations) +### List Element (and its variations) The `list` element simply corresponds to a hive of REG_SZ registry strings and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. How this element is represented in SyncML is as a string containing pairs of strings. Each pair is a REG_SZ name/value key. It's best to apply the policy through gpedit.msc (run as Administrator) and go to the registry hive location and see how the list values are stored. This location will give you an idea of the way the name/value pairs are stored to express it through SyncML. @@ -354,7 +362,7 @@ The `list` element simply corresponds to a hive of REG_SZ registry strings and c Variations of the `list` element are dictated by attributes. These attributes are ignored by the Policy Manager runtime. It's expected that the MDM server manages the name/value pairs. See below for a simple write-up of Group Policy List. -**ADMX file: inetres.admx** +**ADMX file: inetres.admx**: ```XML @@ -366,7 +374,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -389,7 +397,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -### No Elements +### No Elements ```XML @@ -398,7 +406,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -421,7 +429,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -### Enum +### Enum ```XML @@ -455,7 +463,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -477,7 +485,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -### Decimal Element +### Decimal Element ```XML ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -514,7 +522,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -### Boolean Element +### Boolean Element ```XML @@ -540,7 +548,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML diff --git a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md index 5c5b946138..d3ea09a030 100644 --- a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md +++ b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md @@ -1,7 +1,7 @@ --- title: Using PowerShell scripting with the WMI Bridge Provider description: This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,13 +9,15 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Using PowerShell scripting with the WMI Bridge Provider This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). - ## Configuring per-device policy settings This section provides a PowerShell Cmdlet sample script to configure per-device settings through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). If a class supports device settings, there must be a class level qualifier defined for InPartition("local-system"). @@ -42,7 +44,7 @@ The following script describes how to create, enumerate, query, modify, and dele $namespaceName = "root\cimv2\mdm\dmmap" $className = "MDM_Policy_Config01_WiFi02" -# Create a new instance for MDM_Policy_Config01_WiFi02 +# Create a new instance for MDM_Policy_Config01_WiFi02 New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID="./Vendor/MSFT/Policy/Config";InstanceID="WiFi";AllowInternetSharing=1;AllowAutoConnectToWiFiSenseHotspots=0;WLANScanMode=100} # Enumerate all instances available for MDM_Policy_Config01_WiFi02 @@ -84,15 +86,13 @@ class MDM_Policy_User_Config01_Authentication02 }; ``` -> **Note**  If the currently logged on user is trying to access or modify user settings for themselves, it is much easier to use the per-device settings script from the previous section. All PowerShell cmdlets must be executed under an elevated admin command prompt. - -  +> [!NOTE] +> If the currently logged on user is trying to access or modify user settings for themselves, it is much easier to use the per-device settings script from the previous section. All PowerShell cmdlets must be executed under an elevated admin command prompt. If accessing or modifying settings for a different user, then the PowerShell script is more complicated because the WMI Bridge expects the user SID to be set in MI Custom Context, which isn't supported in native PowerShell cmdlets. -> **Note**   All commands must executed under local system. - -  +> [!NOTE] +> All commands must executed under local system. A user SID can be obtained by Windows command `wmic useraccount get name, sid`. The following script example assumes the user SID is S-1-5-21-4017247134-4237859428-3008104844-1001. @@ -220,5 +220,3 @@ catch [Exception] ## Related topics [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) - -  \ No newline at end of file diff --git a/windows/client-management/win32-and-centennial-app-policy-configuration.md b/windows/client-management/win32-and-centennial-app-policy-configuration.md index 830640d4c2..b6502accac 100644 --- a/windows/client-management/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/win32-and-centennial-app-policy-configuration.md @@ -1,33 +1,27 @@ --- title: Win32 and Desktop Bridge app ADMX policy Ingestion -description: Starting in Windows 10, version 1703, you can ingest ADMX files and set those ADMX policies for Win32 and Desktop Bridge apps. +description: Ingest ADMX files and set ADMX policies for Win32 and Desktop Bridge apps. ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 03/23/2020 -ms.reviewer: +ms.reviewer: manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Win32 and Desktop Bridge app ADMX policy Ingestion -## In this section +## Overview -- [Overview](#overview) -- [Ingesting an app ADMX file](#ingesting-an-app-admx-file) -- [URI format for configuring an app policy](#uri-format-for-configuring-an-app-policy) -- [ADMX app policy examples](#admx-backed-app-policy-examples) - - [Enabling an app policy](#enabling-an-app-policy) - - [Disabling an app policy](#disabling-an-app-policy) - - [Setting an app policy to not configured](#setting-an-app-policy-to-not-configured) +You can ingest ADMX files (ADMX ingestion) and set those ADMX policies for Win32 and Desktop Bridge apps by using Windows Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. -## Overview +Starting from the following Windows versions `Replace` command is supported: -Starting in Windows 10, version 1703, you can ingest ADMX files (ADMX ingestion) and set those ADMX policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. - -NOTE: Starting from the following Windows 10 version Replace command is supported - Windows 10, version 1903 with KB4512941 and KB4517211 installed - Windows 10, version 1809 with KB4512534 and KB installed - Windows 10, version 1803 with KB4512509 and KB installed @@ -57,17 +51,18 @@ When the ADMX policies are ingested, the registry keys to which each policy is w - software\Microsoft\Edge - Software\Microsoft\EdgeUpdate\ -> [!Warning] +> [!WARNING] > Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still ingest ADMX files and set ADMX policies regardless of whether the device is domain joined or non-domain joined. > [!NOTE] > Settings that cannot be configured using custom policy ingestion have to be set by pushing the appropriate registry keys directly (for example, by using PowerShell script). -## Ingesting an app ADMX file +## Ingesting an app ADMX file The following ADMX file example shows how to ingest a Win32 or Desktop Bridge app ADMX file and set policies from the file. The ADMX file defines eight policies. -**Payload** +**Payload**: + ```XML @@ -201,7 +196,7 @@ The following ADMX file example shows how to ingest a Win32 or Desktop Bridge ap ``` -**Request Syncml** +**Request Syncml**: The ADMX file is escaped and sent in SyncML format through the Policy CSP URI, `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{FileUid or AdmxFileName}`. When the ADMX file is imported, the policy states for each new policy are the same as those in a regular MDM policy: Enabled, Disabled, or Not Configured. @@ -360,12 +355,13 @@ The following example shows an ADMX file in SyncML format: ``` -**Response Syncml** +**Response Syncml**: + ```XML 21102Add200 ``` -### URI format for configuring an app policy +### URI format for configuring an app policy The following example shows how to derive a Win32 or Desktop Bridge app policy name and policy area name: @@ -394,10 +390,9 @@ The following example shows how to derive a Win32 or Desktop Bridge app policy n ``` -As documented in [Policy CSP](mdm/policy-configuration-service-provider.md), the URI format to configure a policy via Policy CSP is: -'./{user or device}/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}'. +As documented in [Policy CSP](mdm/policy-configuration-service-provider.md), the URI format to configure a policy via Policy CSP is: `./{user or device}/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}`. -**User or device policy** +**User or device policy**: In the policy class, the attribute is defined as "User" and the URI is prefixed with `./user`. If the attribute value is "Machine", the URI is prefixed with `./device`. @@ -409,25 +404,28 @@ The policy {AreaName} format is {AppName}~{SettingType}~{CategoryPathFromAdmx}. {CategoryPathFromAdmx} is derived by traversing the parentCategory parameter. In this example, {CategoryPathFromAdmx} is ParentCategoryArea~Category2~Category3. Therefore, {AreaName} is ContosoCompanyApp~ Policy~ ParentCategoryArea~Category2~Category3. Therefore, from the example: + - Class: User - Policy name: L_PolicyPreventRun_1 - Policy area name: ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3 - URI: `./user/Vendor/MSFT/Policy/Config/ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3/L_PolicyPreventRun_1` -## ADMX-backed app policy examples +## ADMX-backed app policy examples The following examples describe how to set an ADMX-ingested app policy. -### Enabling an app policy +### Enabling an app policy + +**Payload**: -**Payload** ```XML ``` -**Request Syncml** +**Request Syncml**: + ```XML @@ -449,19 +447,22 @@ The following examples describe how to set an ADMX-ingested app policy. ``` -**Response SyncML** +**Response SyncML**: + ```XML 21103Replace200 ``` -### Disabling an app policy +### Disabling an app policy + +**Payload**: -**Payload** ```XML ``` -**Request SyncML** +**Request SyncML**: + ```XML @@ -483,18 +484,20 @@ The following examples describe how to set an ADMX-ingested app policy. ``` -**Response SyncML** +**Response SyncML**: + ```XML 21104Replace200 ``` -### Setting an app policy to not configured +### Setting an app policy to not configured -**Payload** +**Payload**: (None) -**Request SyncML** +**Request SyncML**: + ```XML @@ -511,7 +514,8 @@ The following examples describe how to set an ADMX-ingested app policy. ``` -**Response SyncML** +**Response SyncML**: + ```XML 21105Delete200 ``` diff --git a/windows/client-management/windows-mdm-enterprise-settings.md b/windows/client-management/windows-mdm-enterprise-settings.md index c773fbc2ea..82d1bf3135 100644 --- a/windows/client-management/windows-mdm-enterprise-settings.md +++ b/windows/client-management/windows-mdm-enterprise-settings.md @@ -1,32 +1,31 @@ --- -title: Enterprise settings, policies, and app management +title: Enterprise settings and policy management description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow. -MS-HAID: - - 'p\_phdevicemgmt.enterprise\_settings\_\_policies\_\_and\_app\_management' - - 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Enterprise settings, policies, and app management +# Enterprise settings and policy management The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://technical.openmobilealliance.org/). -Windows currently supports one MDM server. The DM client that is configured via the enrollment process is granted access to enterprise related settings. Enterprise MDM settings are exposed via various configuration service providers to the DM client. For the list of available configuration service providers, see [Configuration service provider reference](mdm/index.yml). +Enterprise MDM settings are exposed via various configuration service providers to the DM client. For the list of available configuration service providers, see [Configuration service provider reference](mdm/index.yml). -The DM client is configured during the enrollment process to be invoked by the task scheduler to periodically poll the MDM server. +Windows currently supports one MDM server. The DM client that is configured via the enrollment process is granted access to enterprise related settings. The DM client is configured during the enrollment process to be invoked by the task scheduler to periodically poll the MDM server. The following diagram shows the work flow between server and client. ![windows client and server mdm diagram.](images/enterprise-workflow.png) - ## Management workflow This protocol defines an HTTPS-based client/server communication with DM SyncML XML as the package payload that carries management requests and execution results. The configuration request is addressed via a managed object (MO). The settings supported by the managed object are represented in a conceptual tree structure. This logical view of configurable device settings simplifies the way the server addresses the device settings by isolating the implementation details from the conceptual tree structure. @@ -37,15 +36,7 @@ The DM client configuration, company policy enforcement, business application ma Here's a summary of the DM tasks supported for enterprise management: -- Company policy management: Company policies are supported via the Policy CSP allows the enterprise to manage various settings. It enables the management service to configure device lock related policies, disable/enable the storage card, and query the device encryption status. The RemoteWipe CSP allows IT pros to remotely fully wipe the internal user data storage. -- Enterprise application management: This task is addressed via the Enterprise ModernApp Management CSP and several ApplicationManagement-related policies. It's used to install the enterprise token, query installed business application names and versions, etc. This CSP is only accessible by the enterprise service. -- Certificate management: CertificateStore CSP, RootCACertificate CSP, and ClientCertificateInstall CSP are used to install certificates. -- Basic device inventory and asset management: Some basic device information can be retrieved via the DevInfo CSP, DevDetail CSPs and the DeviceStatus CSP. These provide basic device information such as OEM name, device model, hardware version, OS version, processor types, etc. This information is for asset management and device targeting. The NodeCache CSP enables the device to only send out delta inventory settings to the server to reduce over-the-air data usage. The NodeCache CSP is only accessible by the enterprise service. - -  - - - - - - +- **Company policy management**: Company policies are supported via the Policy CSP allows the enterprise to manage various settings. It enables the management service to configure device lock related policies, disable/enable the storage card, and query the device encryption status. The RemoteWipe CSP allows IT pros to remotely fully wipe the internal user data storage. +- **Enterprise application management**: This task is addressed via the Enterprise ModernApp Management CSP and several ApplicationManagement-related policies. It's used to install the enterprise token, query installed business application names and versions, etc. This CSP is only accessible by the enterprise service. +- **Certificate management**: CertificateStore CSP, RootCACertificate CSP, and ClientCertificateInstall CSP are used to install certificates. +- **Basic device inventory and asset management**: Some basic device information can be retrieved via the DevInfo CSP, DevDetail CSPs and the DeviceStatus CSP. These provide basic device information such as OEM name, device model, hardware version, OS version, processor types, etc. This information is for asset management and device targeting. The NodeCache CSP enables the device to only send out delta inventory settings to the server to reduce over-the-air data usage. The NodeCache CSP is only accessible by the enterprise service. diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md deleted file mode 100644 index 0ca2a86f1e..0000000000 --- a/windows/client-management/windows-version-search.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: What version of Windows am I running? -description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. -keywords: Long-Term Servicing Channel, LTSC, LTSB, General Availability Channel, GAC, Windows, version, OS Build -ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library -author: vinaypamnani-msft -ms.author: vinpa -ms.date: 04/30/2018 -ms.reviewer: -manager: aaroncz -ms.topic: troubleshooting -ms.technology: itpro-manage ---- - -# What version of Windows am I running? - -To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. - -## System Properties -Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu - -You'll now see **Edition**, **Version**, and **OS Build** information. Something like this: - -![screenshot of the system properties window for a device running Windows 10.](images/systemcollage.png) - -## Using Keyword Search -You can type the following in the search bar and press **ENTER** to see version details for your device. - -**“winver”** - -![screenshot of the About Windows display text.](images/winver.png) - -**“msinfo”** or **"msinfo32"** to open **System Information**: - -![screenshot of the System Information display text.](images/msinfo32.png) - -## Using Command Prompt or PowerShell -At the Command Prompt or PowerShell interface, type **"systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"** and then press **ENTER** - -![screenshot of system information display text.](images/refcmd.png) - -At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below: - -![screenshot of software licensing manager.](images/slmgr_dlv.png) - -## What does it all mean? - -The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. It’s important to remember that the LTSC model is primarily for specialized devices. - -In the General Availability Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment. \ No newline at end of file diff --git a/windows/client-management/wmi-providers-supported-in-windows.md b/windows/client-management/wmi-providers-supported-in-windows.md index 3d701812c0..79a3785540 100644 --- a/windows/client-management/wmi-providers-supported-in-windows.md +++ b/windows/client-management/wmi-providers-supported-in-windows.md @@ -1,10 +1,7 @@ --- -title: WMI providers supported in Windows 10 +title: WMI providers supported in Windows description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI). -MS-HAID: - - 'p\_phdevicemgmt.wmi\_providers\_supported\_in\_windows\_10\_technical\_preview' - - 'p\_phDeviceMgmt.wmi\_providers\_supported\_in\_windows' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -12,11 +9,14 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# WMI providers supported in Windows 10 +# WMI providers supported in Windows -Windows Management Infrastructure (WMI) providers (and the classes they support) are used to manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service. The following subsections show the list WMI MDM classes that are supported in Windows 10. +Windows Management Infrastructure (WMI) providers (and the classes they support) are used to manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service. The following subsections show the list WMI MDM classes that are supported in Windows. > [!NOTE] > Applications installed using WMI classes are not removed when the MDM account is removed from device. @@ -53,137 +53,135 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw ## MDM WMI classes -|Class|Test completed in Windows 10 for desktop| -|--- |--- | -|[**MDM_AppInstallJob**](/previous-versions/windows/desktop/mdmappprov/mdm-appinstalljob)|Currently testing.| -|[**MDM_Application**](/previous-versions/windows/desktop/mdmappprov/mdm-application)|Currently testing.| -|[**MDM_ApplicationFramework**](/previous-versions/windows/desktop/mdmappprov/mdm-applicationframework)|Currently testing.| -|[**MDM_ApplicationSetting**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-applicationsetting)|Currently testing.| -|[**MDM_BrowserSecurityZones**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersecurityzones)|Yes| -|[**MDM_BrowserSettings**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersettings)|Yes| -|[**MDM_Certificate**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificate)|Yes| -|[**MDM_CertificateEnrollment**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificateenrollment)|Yes| -|[**MDM_Client**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-client)|Currently testing.| -|[**MDM_ConfigSetting**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-configsetting)|Yes| -|[**MDM_DeviceRegistrationInfo**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-deviceregistrationinfo)|| -|[**MDM_EASPolicy**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-easpolicy)|Yes| -|[**MDM_MgMtAuthority**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-mgmtauthority)|Yes| -|**MDM_MsiApplication**|| -|**MDM_MsiInstallJob**|| -|[**MDM_RemoteApplication**](/previous-versions/windows/desktop/mdmappprov/mdm-remoteapplication)|Test not started.| -|[**MDM_RemoteAppUseCookie**](/previous-versions/windows/desktop/mdmappprov/mdm-remoteappusercookie)|Test not started.| -|[**MDM_Restrictions**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictions)|Yes| -|[**MDM_RestrictionsUser**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictionsuser)|Test not started.| -|[**MDM_SecurityStatus**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatus)|Yes| -|[**MDM_SideLoader**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-sideloader)|| -|[**MDM_SecurityStatusUser**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatususer)|Currently testing.| -|[**MDM_Updates**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-updates)|Yes| -|[**MDM_VpnApplicationTrigger**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-vpnapplicationtrigger)|Yes| -|**MDM_VpnConnection**|| -|[**MDM_WebApplication**](/previous-versions/windows/desktop/mdmappprov/mdm-webapplication)|Currently testing.| -|[**MDM_WirelessProfile**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofile)|Yes| -|[**MDM_WirelesssProfileXML**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofilexml)|Yes| -|[**MDM_WNSChannel**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnschannel)|Yes| -|[**MDM_WNSConfiguration**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnsconfiguration)|Yes| -|[**MSFT_NetFirewallProfile**](/previous-versions/windows/desktop/wfascimprov/msft-netfirewallprofile)|Yes| -|[**MSFT_VpnConnection**](/previous-versions/windows/desktop/vpnclientpsprov/msft-vpnconnection)|Yes| -|[**SoftwareLicensingProduct**](/previous-versions/windows/desktop/sppwmi/softwarelicensingproduct)|| -|[**SoftwareLicensingService**](/previous-versions/windows/desktop/sppwmi/softwarelicensingservice)|| +| Class | Test completed in Windows 10 | +|-----------------------------------------------------------------------------------------------------------------|------------------------------| +| [**MDM_AppInstallJob**](/previous-versions/windows/desktop/mdmappprov/mdm-appinstalljob) | Currently testing. | +| [**MDM_Application**](/previous-versions/windows/desktop/mdmappprov/mdm-application) | Currently testing. | +| [**MDM_ApplicationFramework**](/previous-versions/windows/desktop/mdmappprov/mdm-applicationframework) | Currently testing. | +| [**MDM_ApplicationSetting**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-applicationsetting) | Currently testing. | +| [**MDM_BrowserSecurityZones**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersecurityzones) | Yes | +| [**MDM_BrowserSettings**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersettings) | Yes | +| [**MDM_Certificate**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificate) | Yes | +| [**MDM_CertificateEnrollment**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificateenrollment) | Yes | +| [**MDM_Client**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-client) | Currently testing. | +| [**MDM_ConfigSetting**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-configsetting) | Yes | +| [**MDM_DeviceRegistrationInfo**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-deviceregistrationinfo) | | +| [**MDM_EASPolicy**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-easpolicy) | Yes | +| [**MDM_MgMtAuthority**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-mgmtauthority) | Yes | +| **MDM_MsiApplication** | | +| **MDM_MsiInstallJob** | | +| [**MDM_RemoteApplication**](/previous-versions/windows/desktop/mdmappprov/mdm-remoteapplication) | Test not started. | +| [**MDM_RemoteAppUseCookie**](/previous-versions/windows/desktop/mdmappprov/mdm-remoteappusercookie) | Test not started. | +| [**MDM_Restrictions**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictions) | Yes | +| [**MDM_RestrictionsUser**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictionsuser) | Test not started. | +| [**MDM_SecurityStatus**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatus) | Yes | +| [**MDM_SideLoader**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-sideloader) | | +| [**MDM_SecurityStatusUser**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatususer) | Currently testing. | +| [**MDM_Updates**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-updates) | Yes | +| [**MDM_VpnApplicationTrigger**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-vpnapplicationtrigger) | Yes | +| **MDM_VpnConnection** | | +| [**MDM_WebApplication**](/previous-versions/windows/desktop/mdmappprov/mdm-webapplication) | Currently testing. | +| [**MDM_WirelessProfile**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofile) | Yes | +| [**MDM_WirelesssProfileXML**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofilexml) | Yes | +| [**MDM_WNSChannel**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnschannel) | Yes | +| [**MDM_WNSConfiguration**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnsconfiguration) | Yes | +| [**MSFT_NetFirewallProfile**](/previous-versions/windows/desktop/wfascimprov/msft-netfirewallprofile) | Yes | +| [**MSFT_VpnConnection**](/previous-versions/windows/desktop/vpnclientpsprov/msft-vpnconnection) | Yes | +| [**SoftwareLicensingProduct**](/previous-versions/windows/desktop/sppwmi/softwarelicensingproduct) | | +| [**SoftwareLicensingService**](/previous-versions/windows/desktop/sppwmi/softwarelicensingservice) | | ### Parental control WMI classes -| Class | Test completed in Windows 10 for desktop | -|--------------------------------------------------------------------------|------------------------------------------| -| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | | -| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | - - +| Class | Test completed in Windows 10 | +|-----------------------------------------------------------------------------------------|------------------------------| +| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | | +| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | ### Win32 WMI classes -| Class | Test completed in Windows 10 for desktop | -|--------------------------------------------------------------------------|------------------------------------------| -[**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) | -[**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) | -[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | Yes -[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | Yes -[**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) | -[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | Yes -[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | Yes -[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | Yes -[**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) | -[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |Yes -[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | Yes -[**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) | -[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | Yes -[**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) | -[**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) | -[**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) | -[**Win32\_Environment**](/windows/win32/cimwin32prov/win32-environment) | -[**Win32\_IDEController**](/windows/win32/cimwin32prov/win32-idecontroller) | -[**Win32\_InfraredDevice**](/windows/win32/cimwin32prov/win32-infrareddevice) | -[**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) | -[**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) | -[**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) | -[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | Yes -[**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) | -[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | Yes -[**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) | -[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | Yes -[**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) | -[**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) | -[**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) | -[**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) | -[**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) | -[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | Yes -[**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) | -[**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) | -[**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) | -[**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) | -[**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) | -[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | Yes -[**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) | -[**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) | -[**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) | -[**Win32\_PortableBattery**](/windows/win32/cimwin32prov/win32-portablebattery) | -[**Win32\_PortResource**](/windows/win32/cimwin32prov/win32-portresource) | -[**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) | -[**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) | -[**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) | -[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | Yes -[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | Yes -[**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) | -[**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) | -[**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) | -[**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) | -[**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) | -[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | Yes -[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | Yes -[**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) | -[**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) | -[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | Yes -[**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) | -[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | Yes -[**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) | -[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | Yes -[**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) | -[**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) | -[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | Yes -[**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) | -**Win32\_WindowsUpdateAgentVersion** | - +| Class | Test completed in Windows 10 | +|---------------------------------------------------------------------------------------------------------|------------------------------| +| [**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) | +| [**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) | +| [**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | Yes | +| [**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | Yes | +| [**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) | +| [**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | Yes | +| [**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | Yes | +| [**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | Yes | +| [**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) | +| [**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) | Yes | +| [**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | Yes | +| [**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) | +| [**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | Yes | +| [**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) | +| [**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) | +| [**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) | +| [**Win32\_Environment**](/windows/win32/cimwin32prov/win32-environment) | +| [**Win32\_IDEController**](/windows/win32/cimwin32prov/win32-idecontroller) | +| [**Win32\_InfraredDevice**](/windows/win32/cimwin32prov/win32-infrareddevice) | +| [**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) | +| [**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) | +| [**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) | +| [**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | Yes | +| [**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) | +| [**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | Yes | +| [**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) | +| [**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | Yes | +| [**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) | +| [**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) | +| [**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) | +| [**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) | +| [**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) | +| [**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | Yes | +| [**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) | +| [**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) | +| [**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) | +| [**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) | +| [**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) | +| [**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | Yes | +| [**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) | +| [**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) | +| [**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) | +| [**Win32\_PortableBattery**](/windows/win32/cimwin32prov/win32-portablebattery) | +| [**Win32\_PortResource**](/windows/win32/cimwin32prov/win32-portresource) | +| [**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) | +| [**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) | +| [**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) | +| [**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | Yes | +| [**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | Yes | +| [**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) | +| [**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) | +| [**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) | +| [**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) | +| [**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) | +| [**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | Yes | +| [**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | Yes | +| [**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) | +| [**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) | +| [**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | Yes | +| [**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) | +| [**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | Yes | +| [**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) | +| [**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | Yes | +| [**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) | +| [**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) | +| [**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | Yes | +| [**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) | +| **Win32\_WindowsUpdateAgentVersion** | ## Related topics [Configuration service provider reference](mdm/index.yml) ## Related Links + [CIM Video Controller](/windows/win32/cimwin32prov/cim-videocontroller) diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 4f3fd11f90..85a59f77d7 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -628,7 +628,7 @@ For more details, expand each product section. -## Cryprtographic algorithms +## Cryptographic algorithms The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate.\ For more details, expand each algorithm section. @@ -1779,4 +1779,4 @@ SMB3 can be FIPS 140 compliant, if Windows is configured to operate in FIPS 140 [sp-3615]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3615.pdf [sp-3644]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3644.pdf [sp-3651]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3651.pdf -[sp-3690]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3690.pdf \ No newline at end of file +[sp-3690]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3690.pdf