deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into aljupudi0dmclientcsp-updatesfeedback

Browse Source
This commit is contained in:
Daniel Simpson
2022-06-08 05:45:31 -07:00
committed by GitHub
parent 47322e6868 341226bf86
commit c7d0ff97e4
283 changed files with 2510 additions and 1693 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
windows/client-management/mdm/change-history-for-mdm-documentation.md
View File

@ -1,13 +1,13 @@
---
title: Change history for MDM documentation
description: This article lists new and updated articles for Mobile Device Management.
author: aczechowski
ms.author: aaroncz
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: dougeby
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 10/19/2020
---
@ -174,7 +174,6 @@ This article lists new and updated articles for the Mobile Device Management (MD
|New or updated article | Description|
|--- | ---|
|[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).|
|[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.|
## August 2018
@ -227,7 +226,6 @@ This article lists new and updated articles for the Mobile Device Management (MD
|[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)|Added the following node in Windows 10, version 1803:<li>Settings/AllowVirtualGPU<li>Settings/SaveFilesToHost|
|[NetworkProxy CSP](networkproxy-csp.md)|Added the following node in Windows 10, version 1803:<li>ProxySettingsPerUser|
|[Accounts CSP](accounts-csp.md)|Added a new CSP in Windows 10, version 1803.|
|[MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat)|Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.|
|[CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)|Added the DDF download of Windows 10, version 1803 configuration service providers.|
|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Bluetooth/AllowPromptedProximalConnections<li>KioskBrowser/EnableEndSessionButton<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers|

2
windows/client-management/mdm/device-update-management.md
View File

@ -861,7 +861,7 @@ Here's the list of corresponding Group Policy settings in HKLM\\Software\\Polici
|DeferFeatureUpdates|REG_DWORD|1: defer feature updates<br><br>Other value or absent: dont defer feature updates|
|DeferFeatureUpdatesPeriodInDays|REG_DWORD|0-180: days to defer feature updates|
|PauseFeatureUpdates|REG_DWORD|1: pause feature updates<br><br>Other value or absent: dont pause feature updates|
|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude WU drivers<br><br>Other value or absent: offer WU drivers|
|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude Windows Update drivers<br><br>Other value or absent: offer Windows Update drivers|
Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices.

2
windows/client-management/mdm/dmclient-csp.md
View File

@ -630,7 +630,7 @@ The status error mapping is listed below.
|--- |--- |
|0|Success|
|1|Failure: invalid PFN|
|2|Failure: invalid or expired device authentication with MSA|
|2|Failure: invalid or expired device authentication with Microsoft account|
|3|Failure: WNS client registration failed due to an invalid or revoked PFN|
|4|Failure: no Channel URI assigned|
|5|Failure: Channel URI has expired|

29
windows/client-management/mdm/enterprisedataprotection-csp.md
View File

@ -27,12 +27,12 @@ The table below shows the applicability of Windows:
The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip).
> [!Note]
> To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).
> [!NOTE]
> To make Windows Information Protection functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).
While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md).
While Windows Information Protection has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md).
To learn more about WIP, see the following articles:
To learn more about Windows Information Protection, see the following articles:
- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
@ -63,8 +63,8 @@ The root node for the Windows Information Protection (WIP) configuration setting
<a href="" id="settings-edpenforcementlevel"></a>**Settings/EDPEnforcementLevel**
Set the WIP enforcement level.
> [!Note]
> Setting this value isn't sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running.
> [!NOTE]
> Setting this value isn't sufficient to enable Windows Information Protection on the device. Attempts to change this value will fail when the WIP cleanup is running.
The following list shows the supported values:
@ -76,14 +76,13 @@ The following list shows the supported values:
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-enterpriseprotecteddomainnames"></a>**Settings/EnterpriseProtectedDomainNames**
A list of domains used by the enterprise for its user identities separated by pipes (&quot;|&quot;). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
A list of domains used by the enterprise for its user identities separated by pipes (&quot;|&quot;). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for Windows Information Protection. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
Changing the primary enterprise ID isn't supported and may cause unexpected behavior on the client.
> [!Note]
> [!NOTE]
> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
Here are the steps to create canonical domain names:
1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com.
@ -242,7 +241,7 @@ For EFSCertificate KeyTag, it's expected to be a DER ENCODED binary certificate.
Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate.
<a href="" id="settings-revokeonunenroll"></a>**Settings/RevokeOnUnenroll**
This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup, later. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1.
This policy controls whether to revoke the Windows Information Protection keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup, later. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1.
The following list shows the supported values:
@ -252,7 +251,7 @@ The following list shows the supported values:
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-revokeonmdmhandoff"></a>**Settings/RevokeOnMDMHandoff**
Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
Added in Windows 10, version 1703. This policy controls whether to revoke the Windows Information Protection keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
- 0 - Don't revoke keys.
- 1 (default) - Revoke keys.
@ -265,7 +264,7 @@ TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS t
Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID).
<a href="" id="settings-allowazurermsforedp"></a>**Settings/AllowAzureRMSForEDP**
Specifies whether to allow Azure RMS encryption for WIP.
Specifies whether to allow Azure RMS encryption for Windows Information Protection.
- 0 (default) Don't use RMS.
- 1 Use RMS.
@ -278,7 +277,7 @@ When this policy isn't specified, the existing auto-encryption behavior is appli
Supported operations are Add, Get, Replace and Delete. Value type is string.
<a href="" id="settings-edpshowicons"></a>**Settings/EDPShowIcons**
Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app.
Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the Windows Information Protection icon in the title bar of a WIP-protected app.
The following list shows the supported values:
- 0 (default) - No WIP overlays on icons or tiles.
@ -287,7 +286,7 @@ The following list shows the supported values:
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="status"></a>**Status**
A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
A read-only bit mask that indicates the current state of Windows Information Protection on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
Suggested values:
@ -299,7 +298,7 @@ Bit 0 indicates whether WIP is on or off.
Bit 1 indicates whether AppLocker WIP policies are set.
Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies aren't configured, the bit 3 is set to 0 (zero).
Bit 3 indicates whether the mandatory Windows Information Protection policies are configured. If one or more of the mandatory WIP policies aren't configured, the bit 3 is set to 0 (zero).
Here's the list of mandatory WIP policies:

7
windows/client-management/mdm/firewall-csp.md
View File

@ -5,8 +5,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 11/29/2021
author: dansimp
ms.reviewer:
manager: dansimp
---
@ -245,7 +244,7 @@ Default value is true.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="defaultoutboundaction"></a>**/DefaultOutboundAction**
This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it's explicitly specified not to block.
This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will allow all outbound traffic unless it's explicitly specified not to allow.
- 0x00000000 - allow
- 0x00000001 - block
@ -441,4 +440,4 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
[Configuration service provider reference](configuration-service-provider-reference.md)

12
windows/client-management/mdm/implement-server-side-mobile-application-management.md
View File

@ -80,17 +80,17 @@ Since the [Poll](dmclient-csp.md#provider-providerid-poll) node isnt provided
MAM on Windows supports the following configuration service providers (CSPs). All other CSPs will be blocked. Note the list may change later based on customer feedback:
- [AppLocker CSP](applocker-csp.md) for configuration of WIP enterprise allowed apps.
- [AppLocker CSP](applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps.
- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.
- [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
- [DevInfo CSP](devinfo-csp.md).
- [DMAcc CSP](dmacc-csp.md).
- [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL.
- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has WIP policies.
- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has Windows Information Protection policies.
- [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
- [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management.
- [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas.
- [Reporting CSP](reporting-csp.md) for retrieving WIP logs.
- [Reporting CSP](reporting-csp.md) for retrieving Windows Information Protection logs.
- [RootCaTrustedCertificates CSP](rootcacertificates-csp.md).
- [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
@ -116,13 +116,13 @@ MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to
Windows doesn't support applying both MAM and MDM policies to the same devices. If configured by the admin, users can change their MAM enrollment to MDM.
> [!NOTE]
> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On Windows Home edition, we don't recommend pushing MDM policies to enable users to upgrade.
> When users upgrade from MAM to MDM on Windows Home edition, they lose access to Windows Information Protection. On Windows Home edition, we don't recommend pushing MDM policies to enable users to upgrade.
To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment.
In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when WIP policies are removed from the device, the users access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that:
In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when Windows Information Protection policies are removed from the device, the users access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that:
- Both MAM and MDM policies for the organization support WIP.
- Both MAM and MDM policies for the organization support Windows Information Protection.
- EDP CSP Enterprise ID is the same for both MAM and MDM.
- EDP CSP RevokeOnMDMHandoff is set to false.

64
windows/client-management/mdm/index.md
View File

@ -1,28 +1,28 @@
---
title: Mobile device management
description: Windows 10 and Windows 11 provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy
description: Windows 10 and Windows 11 provide an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy.
MS-HAID:
- 'p\_phDeviceMgmt.provisioning\_and\_device\_management'
- 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm'
ms.assetid: 50ac90a7-713e-4487-9cb9-b6d6fdaa4e5b
ms.author: dansimp
ms.topic: article
ms.topic: overview
ms.prod: w10
ms.technology: windows
author: dansimp
author: aczechowski
ms.author: aaroncz
ms.collection: highpri
ms.date: 06/03/2022
---
# Mobile device management
Windows 10 and Windows 11 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server.
Windows 10 and Windows 11 provide an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server.
There are two parts to the Windows management component:
There are two parts to the Windows management component:
- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.
- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.
Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers don't need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers don't need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
## MDM security baseline
@ -37,7 +37,7 @@ The MDM security baseline includes policies that cover the following areas:
- Legacy technology policies that offer alternative solutions with modern technology
- And much more
For more details about the MDM policies defined in the MDM security baseline and what Microsoft's recommended baseline policy values are, see:
For more information about the MDM policies defined in the MDM security baseline and what Microsoft's recommended baseline policy values are, see:
- [MDM Security baseline for Windows 11](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/Windows11-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 2004](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/2004-MDM-SecurityBaseLine-Document.zip)
@ -48,37 +48,27 @@ For more details about the MDM policies defined in the MDM security baseline and
For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
<span id="mmat" />
## Learn about migrating to MDM
When an organization wants to move to MDM to manage devices, they should prepare by analyzing their current Group Policy settings to see what they need to transition to MDM management. Microsoft created the [MDM Migration Analysis Tool](https://aka.ms/mmat/) (MMAT) to help. MMAT determines which Group Policies have been set for a target user or computer and then generates a report that lists the level of support for each policy setting in MDM equivalents. For more information, see [MMAT Instructions](https://github.com/WindowsDeviceManagement/MMAT/blob/master/MDM%20Migration%20Analysis%20Tool%20Instructions.pdf).
## Learn about device enrollment
- [Mobile device enrollment](mobile-device-enrollment.md)
- [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
- [Mobile device enrollment](mobile-device-enrollment.md)
- [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
## Learn about device management
- [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
- [Enterprise app management](enterprise-app-management.md)
- [Mobile device management (MDM) for device updates](device-update-management.md)
- [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md)
- [OMA DM protocol support](oma-dm-protocol-support.md)
- [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md)
- [Server requirements for OMA DM](server-requirements-windows-mdm.md)
- [Enterprise settings, policies, and app management](windows-mdm-enterprise-settings.md)
- [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
- [Enterprise app management](enterprise-app-management.md)
- [Mobile device management (MDM) for device updates](device-update-management.md)
- [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md)
- [OMA DM protocol support](oma-dm-protocol-support.md)
- [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md)
- [Server requirements for OMA DM](server-requirements-windows-mdm.md)
- [Enterprise settings, policies, and app management](windows-mdm-enterprise-settings.md)
## Learn about configuration service providers
- [Configuration service provider reference](configuration-service-provider-reference.md)
- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md)
- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal)
- [Configuration service provider reference](configuration-service-provider-reference.md)
- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md)
- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal)

31
windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
View File

@ -9,7 +9,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 03/01/2022
ms.date: 06/06/2022
---
# Policies in Policy CSP supported by HoloLens 2
@ -50,11 +50,15 @@ ms.date: 03/01/2022
- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength)
- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana)
- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment)
- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) <sup>9</sup>
- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) <sup>10</sup>
- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) <sup>11</sup>
- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) <sup>9</sup>
- [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#mixedreality-configuremovingplatform) <sup>*[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update)</sup>
- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) <sup>9</sup>
- [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#mixedreality-headtrackingmode) <sup>9</sup>
- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) <sup>9</sup>
- [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#mixedreality-visitorautologon) <sup>10</sup>
- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) <sup>9</sup>
- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) <sup>9</sup>
- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) <sup>9</sup>
@ -102,13 +106,13 @@ ms.date: 03/01/2022
- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) <sup>9</sup>
- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
- [Update/AutoRestartNotificationSchedule](policy-csp-update.md#update-autorestartnotificationschedule) <sup>10</sup>
- [Update/AutoRestartRequiredNotificationDismissal](policy-csp-update.md#update-autorestartrequirednotificationdismissal) <sup>10</sup>
- [Update/AutoRestartNotificationSchedule](policy-csp-update.md#update-autorestartnotificationschedule) <sup>11</sup>
- [Update/AutoRestartRequiredNotificationDismissal](policy-csp-update.md#update-autorestartrequirednotificationdismissal) <sup>11</sup>
- [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel)
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) <sup>10</sup>
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) <sup>10</sup>
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) <sup>10</sup>
- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) <sup>10</sup>
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) <sup>11</sup>
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) <sup>11</sup>
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) <sup>11</sup>
- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) <sup>11</sup>
- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#update-deferfeatureupdatesperiodindays)
- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#update-deferqualityupdatesperiodindays)
- [Update/ManagePreviewBuilds](policy-csp-update.md#update-managepreviewbuilds)
@ -116,10 +120,10 @@ ms.date: 03/01/2022
- [Update/PauseQualityUpdates](policy-csp-update.md#update-pausequalityupdates)
- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday)
- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime)
- [Update/ScheduleImminentRestartWarning](policy-csp-update.md#update-scheduleimminentrestartwarning) <sup>10</sup>
- [Update/ScheduleRestartWarning](policy-csp-update.md#update-schedulerestartwarning) <sup>10</sup>
- [Update/ScheduleImminentRestartWarning](policy-csp-update.md#update-scheduleimminentrestartwarning) <sup>11</sup>
- [Update/ScheduleRestartWarning](policy-csp-update.md#update-schedulerestartwarning) <sup>11</sup>
- [Update/SetDisablePauseUXAccess](policy-csp-update.md#update-setdisablepauseuxaccess)
- [Update/UpdateNotificationLevel](policy-csp-update.md#update-updatenotificationlevel) <sup>10</sup>
- [Update/UpdateNotificationLevel](policy-csp-update.md#update-updatenotificationlevel) <sup>11</sup>
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) <sup>8</sup>
@ -133,8 +137,9 @@ Footnotes:
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
- 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2)
- 10 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2)
- 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes-2004#windows-holographic-version-20h2)
- 10 - Available in [Windows Holographic, version 21H1](/hololens/hololens-release-notes#windows-holographic-version-21h1)
- 11 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2)
## Related topics

10
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -68,12 +68,12 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
Specifies whether user is allowed to add non-MSA email accounts.
Specifies whether user is allowed to add email accounts other than Microsoft account.
Most restricted value is 0.
> [!NOTE]
> This policy will only block UI/UX-based methods for adding non-Microsoft accounts.
> This policy will only block UI/UX-based methods for adding non-Microsoft accounts.
<!--/Description-->
<!--SupportedValues-->
@ -114,7 +114,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
Specifies whether the user is allowed to use a Microsoft account for non-email related connection authentication and services.
Most restricted value is 0.
@ -160,10 +160,10 @@ The following list shows the supported values:
Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
> [!NOTE]
> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
> If the Microsoft account service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
> [!NOTE]
> If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app.
> If the Microsoft account service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the Microsoft account ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app.
<!--/Description-->
<!--SupportedValues-->

2
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -106,7 +106,7 @@ On a device where this policy is configured, the user specified in the policy wi
> [!NOTE]
>
> - Some events such as major OS updates may require the specified user to logon to the device again to resume auto-logon behavior.
> - Auto-logon is only supported for MSA and AAD users.
> - Auto-logon is only supported for Microsoft account and AAD users.
<!--/SupportedSKUs-->
<hr/>

2
windows/client-management/mdm/reporting-csp.md
View File

@ -88,7 +88,7 @@ Specifies the ending time for retrieving logs.
- Supported operations are Get and Replace.
<a href="" id="type"></a>**Type**
Added in Windows 10, version 1703. Specifies the type of logs to retrieve. You can use this policy to retrieve the WIP learning logs.
Added in Windows 10, version 1703. Specifies the type of logs to retrieve. You can use this policy to retrieve the Windows Information Protection learning logs.
- Value type is integer.
- Supported operations are Get and Replace.

5
windows/client-management/mdm/toc.yml
View File

@ -904,6 +904,11 @@ items:
items:
- name: UnifiedWriteFilter DDF file
href: unifiedwritefilter-ddf.md
- name: UniversalPrint CSP
href: universalprint-csp.md
items:
- name: UniversalPrint DDF file
href: universalprint-ddf-file.md
- name: Update CSP
href: update-csp.md
items:

110
windows/client-management/mdm/universalprint-csp.md Normal file
View File

@ -0,0 +1,110 @@
---
title: UniversalPrint CSP
description: Learn how the UniversalPrint configuration service provider (CSP) is used to install printers on Windows client devices.
ms.author: mandia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: MandiOhlinger
ms.date: 06/02/2022
ms.reviewer: jimwu
manager: dougeby
---
# UniversalPrint CSP
The table below shows the applicability of Windows:
|Edition|Windows 11|
|--- |--- |
|Home|No|
|Pro|Yes|
|Windows SE|Yes|
|Business|Yes|
|Enterprise|Yes|
|Education|Yes|
The UniversalPrint configuration service provider (CSP) is used to add Universal Print-compatible printers to Windows client endpoints. Universal Print is a cloud-based printing solution that runs entirely in Microsoft Azure. It doesn't require any on-premises infrastructure. For more specific information, go to [What is Universal Print](/universal-print/fundamentals/universal-print-whatis).
This CSP was added in Windows 11.
The following example shows the UniversalPrint configuration service provider in tree format.
```console
./Vendor/MSFT
PrinterProvisioning
----UPPrinterInstalls
--------<GUID> (PrinterSharedID)
--------CloudDeviceID
--------PrinterSharedName
--------Install
--------Status
--------ErrorCode
```
<a href="" id="PrinterProvisioning"></a>**./Vendor/MSFT/PrinterProvisioning**
The root node for the Universal Print PrinterProvisioning configuration service provider.
<a href="" id="upprinterinstalls"></a>**UPPrinterInstalls**
This setting will install or uninstall a specific printer to a targeted user account.
Valid values:
- Install (default) - The printer is installed.
- Uninstall - The printer is uninstalled.
The data type is node (XML node). Supported operation is Get.
<a href="" id="guidprintersharedid)"></a>**`<GUID>` (PrinterSharedID)**
The Share ID is used to identify the Universal Print printer you want to install on the targeted user account. You can get the printer's Share ID in the printer's properties in the [Universal Print portal](/universal-print/portal/navigate-up).
The data type is node (XML node). Supported operations are Get, Add, and Delete.
> [!NOTE]
> The targeted user account must have access rights to the printer and to the Universal Print service.
<a href="" id="clouddeviceid"></a>**CloudDeviceID**
The Printer ID is used to identify the Universal Print printer you want to install on the targeted user account. You can get the printer's Printer ID in the printer's properties in the [Universal Print portal](/universal-print/portal/navigate-up).
The data type is string/text (GUID). Supported operations are Get, Add, Delete, and Replace.
> [!NOTE]
> The targeted user account must have access rights to the printer and to the Universal Print service.
<a href="" id="printersharedname"></a>**PrinterSharedName**
The Share Name is used to identify the Universal Print printer you want to install on the targeted user account. You can get the printer's Share Name in the printer's properties in the [Universal Print portal](/universal-print/portal/navigate-up).
The data type is string/text. Supported operations are Get, Add, Delete, and Replace.
> [!NOTE]
> The targeted user account must have access rights to the printer and to the Universal Print service.
<a href="" id="install"></a>**Install**
Installs the Universal Print printer. Supports async execute.
The data type is string/text (empty string). Supported operations are Get and Execute.
<a href="" id="status"></a>**Status**
The result status of the printer installation.
Valid values:
- 1 (default) - Installation completed successfully.
- 2 - Installation is in progress after receiving execute cmd.
- 4 - Installation failed.
- 8 - Installation initial status
- 32 - Unknown (not used)
The data type is int. Supported operations is Get.
<a href="" id="errorcode"></a>**ErrorCode**
HRESULT of the last installation returned code.
The data type is int. Supported operation is Get.

214
windows/client-management/mdm/universalprint-ddf-file.md Normal file
View File

@ -0,0 +1,214 @@
---
title: UniversalPrint DDF file
description: UniversalPrint DDF file
ms.author: mandia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: MandiOhlinger
ms.date: 06/02/2022
ms.reviewer: jimwu
manager: dougeby
---
# UniversalPrint DDF file
This article shows the OMA DM device description framework (DDF) for the **UniversalPrint** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>PrinterProvisioning</NodeName>
<Path>./User/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Printer Provisioning</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/PrinterProvisioning</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>UPPrinterInstalls</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This setting will take the action on the specified user account to install or uninstall the specified printer. Install action is selected by default.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
</AccessType>
<Description>Identifies the Universal Print printer, by its Share ID, you wish to install on the targeted user account. The printer's Share ID can be found in the printer's properties via the Universal Print portal. Note: the targeted user account must have access rights to both the printer and to the Universal Print service.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<OneOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>PrinterSharedID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
<DynamicNodeNaming>
<UniqueName>PrinterSharedID from the Universal Print system, which is used to discover and install Univeral Print printer</UniqueName>
</DynamicNodeNaming>
<TrackedResource />
<AsynchronousTracking ResourceInProgressValues="2,8" ResourceFailureValues="4,32" ResourceSuccessURI="UPPrinterInstalls/@#ResourcePlaceholder@/status" ResourceSuccessValues="1" />
</DFProperties>
<Node>
<NodeName>CloudDeviceID</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>Identifies the Universal Print printer, by its Printer ID, you wish to install on the targeted user account. The printer's Printer ID can be found in the printer's properties via the Universal Print portal. Note: the targeted user account must have access rights to both the printer and to the Universal Print service.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Install</NodeName>
<DFProperties>
<AccessType>
<Get />
<Exec />
</AccessType>
<Description>Support async execute. Install Universal Print printer.</Description>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>1 finished installation successfully, 2 installation in progress after receiving execute cmd, 4 installation failed, 8 installation initial status, 32 unknown (not used).</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ErrorCode</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>HRESULT of the last installation returned code.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PrinterSharedName</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>Identifies the Universal Print printer, by its Share Name, you wish to install on the targeted user account. The printer's Share Name can be found in the printer's properties via the Universal Print portal. Note: the targeted user account must have access rights to both the printer and to the Universal Print service.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```

6
windows/client-management/mdm/vpnv2-csp.md
View File

@ -30,7 +30,7 @@ The VPNv2 configuration service provider allows the mobile device management (MD
Here are the requirements for this CSP:
- VPN configuration commands must be wrapped in an Atomic block in SyncML.
- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you're using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure WIP policies.
- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you're using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure Windows Information Protection policies.
- Instead of changing individual properties, follow these steps to make any changes:
- Send a Delete command for the ProfileName to delete the entire profile.
@ -541,9 +541,9 @@ If no inbound filter is provided, then by default all unsolicited inbound traffi
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
<a href="" id="vpnv2-profilename-edpmodeid"></a>**VPNv2/**<em>ProfileName</em>**/EdpModeId**
Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this ID is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
Enterprise ID, which is required for connecting this VPN profile with a Windows Information Protection policy. When this ID is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
Additionally when a connection is being established with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin doesn't have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the WIP policies and App lists automatically takes effect.
Additionally when a connection is being established with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin doesn't have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the Windows Information Protection policies and App lists automatically takes effect.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.

2
windows/client-management/mdm/win32compatibilityappraiser-csp.md
View File

@ -161,7 +161,7 @@ Value type is bool.
Supported operation is Get.
<a href="" id="universaltelemetryclient-utcconfigurationdiagnosis-msaserviceenabled"></a>**UniversalTelemetryClient/UtcConfigurationDiagnosis/MsaServiceEnabled**
A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs.
A boolean value representing whether the Microsoft account service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs.
Value type is bool.