deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

April CSP changes

Browse Source
This commit is contained in:
Vinay Pamnani 2023-05-01 14:40:00 -04:00
parent 8881009b80
commit cd60fff77a
26 changed files with 1428 additions and 1004 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
windows/client-management/mdm/bitlocker-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the BitLocker CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -21,6 +21,9 @@ ms.topic: reference
> >
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
> [!IMPORTANT]
> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
<!-- BitLocker-Editable-Begin --> <!-- BitLocker-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro. The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro.
@ -40,6 +43,7 @@ The following list shows the BitLocker configuration service provider nodes:
- ./Device/Vendor/MSFT/BitLocker - ./Device/Vendor/MSFT/BitLocker
- [AllowStandardUserEncryption](#allowstandarduserencryption) - [AllowStandardUserEncryption](#allowstandarduserencryption)
- [AllowSuspensionOfBitLockerProtection](#allowsuspensionofbitlockerprotection)
- [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) - [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption)
- [ConfigureRecoveryPasswordRotation](#configurerecoverypasswordrotation) - [ConfigureRecoveryPasswordRotation](#configurerecoverypasswordrotation)
- [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) - [EncryptionMethodByDriveType](#encryptionmethodbydrivetype)
@ -149,6 +153,63 @@ To disable this policy, use the following SyncML:
<!-- Device-AllowStandardUserEncryption-End --> <!-- Device-AllowStandardUserEncryption-End -->
<!-- Device-AllowSuspensionOfBitLockerProtection-Begin -->
## AllowSuspensionOfBitLockerProtection
<!-- Device-AllowSuspensionOfBitLockerProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- Device-AllowSuspensionOfBitLockerProtection-Applicability-End -->
<!-- Device-AllowSuspensionOfBitLockerProtection-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/BitLocker/AllowSuspensionOfBitLockerProtection
```
<!-- Device-AllowSuspensionOfBitLockerProtection-OmaUri-End -->
<!-- Device-AllowSuspensionOfBitLockerProtection-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled.
> [!WARNING]
> When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally.
The expected values for this policy are:
0 = Prevent BitLocker Drive Encryption protection from being suspended.
1 = This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection.
<!-- Device-AllowSuspensionOfBitLockerProtection-Description-End -->
<!-- Device-AllowSuspensionOfBitLockerProtection-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-AllowSuspensionOfBitLockerProtection-Editable-End -->
<!-- Device-AllowSuspensionOfBitLockerProtection-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- Device-AllowSuspensionOfBitLockerProtection-DFProperties-End -->
<!-- Device-AllowSuspensionOfBitLockerProtection-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Prevent BitLocker Drive Encryption protection from being suspended. |
| 1 (Default) | This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. |
<!-- Device-AllowSuspensionOfBitLockerProtection-AllowedValues-End -->
<!-- Device-AllowSuspensionOfBitLockerProtection-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-AllowSuspensionOfBitLockerProtection-Examples-End -->
<!-- Device-AllowSuspensionOfBitLockerProtection-End -->
<!-- Device-AllowWarningForOtherDiskEncryption-Begin --> <!-- Device-AllowWarningForOtherDiskEncryption-Begin -->
## AllowWarningForOtherDiskEncryption ## AllowWarningForOtherDiskEncryption

48
windows/client-management/mdm/bitlocker-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -772,6 +772,52 @@ Supported Values: String form of request ID. Example format of request ID is GUI
</MSFT:Applicability> </MSFT:Applicability>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>AllowSuspensionOfBitLockerProtection</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled.
Warning: When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally.
The format is integer.
The expected values for this policy are:
0 = Prevent BitLocker Drive Encryption protection from being suspended.
1 = This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection.
</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Prevent BitLocker Drive Encryption protection from being suspended.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node> <Node>
<NodeName>Status</NodeName> <NodeName>Status</NodeName>
<DFProperties> <DFProperties>

52
windows/client-management/mdm/defender-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Defender CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 04/26/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -63,6 +63,7 @@ The following list shows the Defender configuration service provider nodes:
- [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers) - [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers)
- [IntelTDTEnabled](#configurationinteltdtenabled) - [IntelTDTEnabled](#configurationinteltdtenabled)
- [MeteredConnectionUpdates](#configurationmeteredconnectionupdates) - [MeteredConnectionUpdates](#configurationmeteredconnectionupdates)
- [OobeEnableRtpAndSigUpdate](#configurationoobeenablertpandsigupdate)
- [PassiveRemediation](#configurationpassiveremediation) - [PassiveRemediation](#configurationpassiveremediation)
- [PlatformUpdatesChannel](#configurationplatformupdateschannel) - [PlatformUpdatesChannel](#configurationplatformupdateschannel)
- [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes) - [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes)
@ -1808,6 +1809,55 @@ Allow managed devices to update through metered connections. Default is 0 - not
<!-- Device-Configuration-MeteredConnectionUpdates-End --> <!-- Device-Configuration-MeteredConnectionUpdates-End -->
<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Begin -->
### Configuration/OobeEnableRtpAndSigUpdate
<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Applicability-End -->
<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/OobeEnableRtpAndSigUpdate
```
<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-OmaUri-End -->
<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Description-Begin -->
<!-- Description-Source-DDF -->
This setting allows you to configure whether real-time protection and Security Intelligence Updates are enabled during OOBE (Out of Box experience).
<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Description-End -->
<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Editable-End -->
<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-DFProperties-End -->
<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE. |
| 0 (Default) | If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled. |
<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-AllowedValues-End -->
<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Examples-End -->
<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-End -->
<!-- Device-Configuration-PassiveRemediation-Begin --> <!-- Device-Configuration-PassiveRemediation-Begin -->
### Configuration/PassiveRemediation ### Configuration/PassiveRemediation

41
windows/client-management/mdm/defender-ddf.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -1920,6 +1920,45 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>OobeEnableRtpAndSigUpdate</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This setting allows you to configure whether real-time protection and Security Intelligence Updates are enabled during OOBE (Out of Box experience).</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node> <Node>
<NodeName>ThrottleForScheduledScanOnly</NodeName> <NodeName>ThrottleForScheduledScanOnly</NodeName>
<DFProperties> <DFProperties>

43
windows/client-management/mdm/devicepreparation-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DevicePreparation CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -31,6 +31,7 @@ The following list shows the DevicePreparation configuration service provider no
- [ClassID](#bootstrapperagentclassid) - [ClassID](#bootstrapperagentclassid)
- [ExecutionContext](#bootstrapperagentexecutioncontext) - [ExecutionContext](#bootstrapperagentexecutioncontext)
- [InstallationStatusUri](#bootstrapperagentinstallationstatusuri) - [InstallationStatusUri](#bootstrapperagentinstallationstatusuri)
- [MdmAgentInstalled](#mdmagentinstalled)
- [MDMProvider](#mdmprovider) - [MDMProvider](#mdmprovider)
- [Progress](#mdmproviderprogress) - [Progress](#mdmproviderprogress)
- [PageEnabled](#pageenabled) - [PageEnabled](#pageenabled)
@ -194,6 +195,46 @@ This node holds a URI that can be queried for the status of the Bootstrapper Age
<!-- Device-BootstrapperAgent-InstallationStatusUri-End --> <!-- Device-BootstrapperAgent-InstallationStatusUri-End -->
<!-- Device-MdmAgentInstalled-Begin -->
## MdmAgentInstalled
<!-- Device-MdmAgentInstalled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- Device-MdmAgentInstalled-Applicability-End -->
<!-- Device-MdmAgentInstalled-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DevicePreparation/MdmAgentInstalled
```
<!-- Device-MdmAgentInstalled-OmaUri-End -->
<!-- Device-MdmAgentInstalled-Description-Begin -->
<!-- Description-Source-DDF -->
This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.
<!-- Device-MdmAgentInstalled-Description-End -->
<!-- Device-MdmAgentInstalled-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MdmAgentInstalled-Editable-End -->
<!-- Device-MdmAgentInstalled-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | bool |
| Access Type | Get, Replace |
| Default Value | false |
<!-- Device-MdmAgentInstalled-DFProperties-End -->
<!-- Device-MdmAgentInstalled-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MdmAgentInstalled-Examples-End -->
<!-- Device-MdmAgentInstalled-End -->
<!-- Device-MDMProvider-Begin --> <!-- Device-MDMProvider-Begin -->
## MDMProvider ## MDMProvider

25
windows/client-management/mdm/devicepreparation-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -286,6 +286,29 @@ The following XML file contains the device description framework (DDF) for the D
</DFProperties> </DFProperties>
</Node> </Node>
</Node> </Node>
<Node>
<NodeName>MdmAgentInstalled</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
</Node> </Node>
</MgmtTree> </MgmtTree>
``` ```

179
windows/client-management/mdm/dmclient-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DMClient CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/28/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -16,6 +16,9 @@ ms.topic: reference
<!-- DMClient-Begin --> <!-- DMClient-Begin -->
# DMClient CSP # DMClient CSP
> [!IMPORTANT]
> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
<!-- DMClient-Editable-Begin --> <!-- DMClient-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment. The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment.
@ -37,6 +40,10 @@ The following list shows the DMClient configuration service provider nodes:
- [Lock](#deviceproviderprovideridconfiglocklock) - [Lock](#deviceproviderprovideridconfiglocklock)
- [SecureCore](#deviceproviderprovideridconfiglocksecurecore) - [SecureCore](#deviceproviderprovideridconfiglocksecurecore)
- [UnlockDuration](#deviceproviderprovideridconfiglockunlockduration) - [UnlockDuration](#deviceproviderprovideridconfiglockunlockduration)
- [ConfigRefresh](#deviceproviderprovideridconfigrefresh)
- [Cadence](#deviceproviderprovideridconfigrefreshcadence)
- [Enabled](#deviceproviderprovideridconfigrefreshenabled)
- [PausePeriod](#deviceproviderprovideridconfigrefreshpauseperiod)
- [CustomEnrollmentCompletePage](#deviceproviderprovideridcustomenrollmentcompletepage) - [CustomEnrollmentCompletePage](#deviceproviderprovideridcustomenrollmentcompletepage)
- [BodyText](#deviceproviderprovideridcustomenrollmentcompletepagebodytext) - [BodyText](#deviceproviderprovideridcustomenrollmentcompletepagebodytext)
- [HyperlinkHref](#deviceproviderprovideridcustomenrollmentcompletepagehyperlinkhref) - [HyperlinkHref](#deviceproviderprovideridcustomenrollmentcompletepagehyperlinkhref)
@ -624,6 +631,176 @@ This node, when it is set, tells the client to set how many minutes the device s
<!-- Device-Provider-{ProviderID}-ConfigLock-UnlockDuration-End --> <!-- Device-Provider-{ProviderID}-ConfigLock-UnlockDuration-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Begin -->
#### Device/Provider/{ProviderID}/ConfigRefresh
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Applicability-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh
```
<!-- Device-Provider-{ProviderID}-ConfigRefresh-OmaUri-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Description-Begin -->
<!-- Description-Source-DDF -->
Parent node for ConfigRefresh nodes.
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Description-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Editable-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | node |
| Access Type | Add, Delete, Get |
<!-- Device-Provider-{ProviderID}-ConfigRefresh-DFProperties-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Examples-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Begin -->
##### Device/Provider/{ProviderID}/ConfigRefresh/Cadence
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Applicability-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/Cadence
```
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-OmaUri-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Description-Begin -->
<!-- Description-Source-DDF -->
This node determines the number of minutes between refreshes.
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Description-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Editable-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[30-1440]` |
| Default Value | 90 |
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-DFProperties-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Examples-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Begin -->
##### Device/Provider/{ProviderID}/ConfigRefresh/Enabled
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Applicability-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/Enabled
```
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-OmaUri-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Description-Begin -->
<!-- Description-Source-DDF -->
This node determines whether or not a periodic settings refresh for MDM policies will occur.
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Description-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Editable-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-DFProperties-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| true | ConfigRefresh is enabled. |
| false (Default) | ConfigRefresh is disabled. |
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-AllowedValues-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Examples-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Begin -->
##### Device/Provider/{ProviderID}/ConfigRefresh/PausePeriod
<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Applicability-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/PausePeriod
```
<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-OmaUri-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Description-Begin -->
<!-- Description-Source-DDF -->
This node determines the number of minutes ConfigRefresh should be paused for.
<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Description-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Editable-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1440]` |
| Default Value | 0 |
<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-DFProperties-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Examples-End -->
<!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-End -->
<!-- Device-Provider-{ProviderID}-CustomEnrollmentCompletePage-Begin --> <!-- Device-Provider-{ProviderID}-CustomEnrollmentCompletePage-Begin -->
#### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage #### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage

121
windows/client-management/mdm/dmclient-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/24/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -2947,6 +2947,125 @@ The following XML file contains the device description framework (DDF) for the D
</DFProperties> </DFProperties>
</Node> </Node>
</Node> </Node>
<Node>
<NodeName>ConfigRefresh</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<Description>Parent node for ConfigRefresh nodes</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.6</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>Enabled</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>This node determines whether or not a periodic settings refresh for MDM policies will occur.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>ConfigRefresh is enabled.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>ConfigRefresh is disabled.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>Cadence</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>90</DefaultValue>
<Description>This node determines the number of minutes between refreshes.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[30-1440]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PausePeriod</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This node determines the number of minutes ConfigRefresh should be paused for.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0-1440]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node>
</Node> </Node>
</Node> </Node>
<Node> <Node>

417
windows/client-management/mdm/firewall-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -16,9 +16,6 @@ ms.topic: reference
<!-- Firewall-Begin --> <!-- Firewall-Begin -->
# Firewall CSP # Firewall CSP
> [!IMPORTANT]
> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
<!-- Firewall-Editable-Begin --> <!-- Firewall-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network.
@ -99,11 +96,11 @@ The following list shows the Firewall configuration service provider nodes:
- [HyperVFirewallRules](#mdmstorehypervfirewallrules) - [HyperVFirewallRules](#mdmstorehypervfirewallrules)
- [{FirewallRuleName}](#mdmstorehypervfirewallrulesfirewallrulename) - [{FirewallRuleName}](#mdmstorehypervfirewallrulesfirewallrulename)
- [Action](#mdmstorehypervfirewallrulesfirewallrulenameaction) - [Action](#mdmstorehypervfirewallrulesfirewallrulenameaction)
- [Type](#mdmstorehypervfirewallrulesfirewallrulenameactiontype)
- [Direction](#mdmstorehypervfirewallrulesfirewallrulenamedirection) - [Direction](#mdmstorehypervfirewallrulesfirewallrulenamedirection)
- [Enabled](#mdmstorehypervfirewallrulesfirewallrulenameenabled) - [Enabled](#mdmstorehypervfirewallrulesfirewallrulenameenabled)
- [LocalAddressRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocaladdressranges) - [LocalAddressRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocaladdressranges)
- [LocalPortRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocalportranges) - [LocalPortRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocalportranges)
- [Name](#mdmstorehypervfirewallrulesfirewallrulenamename)
- [Priority](#mdmstorehypervfirewallrulesfirewallrulenamepriority) - [Priority](#mdmstorehypervfirewallrulesfirewallrulenamepriority)
- [Profiles](#mdmstorehypervfirewallrulesfirewallrulenameprofiles) - [Profiles](#mdmstorehypervfirewallrulesfirewallrulenameprofiles)
- [Protocol](#mdmstorehypervfirewallrulesfirewallrulenameprotocol) - [Protocol](#mdmstorehypervfirewallrulesfirewallrulenameprotocol)
@ -111,12 +108,6 @@ The following list shows the Firewall configuration service provider nodes:
- [RemotePortRanges](#mdmstorehypervfirewallrulesfirewallrulenameremoteportranges) - [RemotePortRanges](#mdmstorehypervfirewallrulesfirewallrulenameremoteportranges)
- [Status](#mdmstorehypervfirewallrulesfirewallrulenamestatus) - [Status](#mdmstorehypervfirewallrulesfirewallrulenamestatus)
- [VMCreatorId](#mdmstorehypervfirewallrulesfirewallrulenamevmcreatorid) - [VMCreatorId](#mdmstorehypervfirewallrulesfirewallrulenamevmcreatorid)
- [HyperVLoopbackRules](#mdmstorehypervloopbackrules)
- [{RuleName}](#mdmstorehypervloopbackrulesrulename)
- [DestinationVMCreatorId](#mdmstorehypervloopbackrulesrulenamedestinationvmcreatorid)
- [Enabled](#mdmstorehypervloopbackrulesrulenameenabled)
- [PortRanges](#mdmstorehypervloopbackrulesrulenameportranges)
- [SourceVMCreatorId](#mdmstorehypervloopbackrulesrulenamesourcevmcreatorid)
- [HyperVVMSettings](#mdmstorehypervvmsettings) - [HyperVVMSettings](#mdmstorehypervvmsettings)
- [{VMCreatorId}](#mdmstorehypervvmsettingsvmcreatorid) - [{VMCreatorId}](#mdmstorehypervvmsettingsvmcreatorid)
- [AllowHostPolicyMerge](#mdmstorehypervvmsettingsvmcreatoridallowhostpolicymerge) - [AllowHostPolicyMerge](#mdmstorehypervvmsettingsvmcreatoridallowhostpolicymerge)
@ -1791,7 +1782,7 @@ Specifies the description of the rule.
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Direction-Description-Begin --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Direction-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Comma separated list. The rule is enabled based on the traffic direction as following. The rule is enabled based on the traffic direction as following.
IN - the rule applies to inbound traffic. IN - the rule applies to inbound traffic.
OUT - the rule applies to outbound traffic. OUT - the rule applies to outbound traffic.
@ -1935,7 +1926,7 @@ If not specified - a new rule is disabled by default.
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-IcmpTypesAndCodes-Applicability-Begin --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-IcmpTypesAndCodes-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 21H1 [10.0.19043] and later | | :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later |
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-IcmpTypesAndCodes-Applicability-End --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-IcmpTypesAndCodes-Applicability-End -->
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-IcmpTypesAndCodes-OmaUri-Begin --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-IcmpTypesAndCodes-OmaUri-Begin -->
@ -2087,6 +2078,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-LocalPortRanges-Description-Begin --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-LocalPortRanges-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP).
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-LocalPortRanges-Description-End --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-LocalPortRanges-Description-End -->
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-LocalPortRanges-Editable-Begin --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-LocalPortRanges-Editable-Begin -->
@ -2166,7 +2158,8 @@ This is a string in Security Descriptor Definition Language (SDDL) format..
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Name-OmaUri-End --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Name-OmaUri-End -->
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Name-Description-Begin --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Name-Description-Begin -->
<!-- Description-Source-Not-Found --> <!-- Description-Source-DDF -->
Specifies the friendly name of the firewall rule.
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Name-Description-End --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Name-Description-End -->
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Name-Editable-Begin --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Name-Editable-Begin -->
@ -2194,7 +2187,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format..
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Applicability-Begin --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | | :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 22H2 [10.0.19045.2913] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1880] and later <br> :heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1635] and later |
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Applicability-End --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Applicability-End -->
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-OmaUri-Begin --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-OmaUri-Begin -->
@ -2205,7 +2198,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format..
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Description-Begin --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". A PolicyAppId and ServiceName cannot be specified in the same rule.
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Description-End --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Description-End -->
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Editable-Begin --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Editable-Begin -->
@ -2431,6 +2424,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-RemotePortRanges-Description-Begin --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-RemotePortRanges-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP).
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-RemotePortRanges-Description-End --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-RemotePortRanges-Description-End -->
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-RemotePortRanges-Editable-Begin --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-RemotePortRanges-Editable-Begin -->
@ -3122,7 +3116,9 @@ Unique alpha numeric identifier for the rule. The rule name must not include a f
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Description-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Specifies the action for the rule. Specifies the action the rule enforces:
0 - Block
1 - Allow.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Description-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Description-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Editable-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Editable-Begin -->
@ -3132,68 +3128,27 @@ Specifies the action for the rule.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-DFProperties-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-DFProperties-Begin -->
**Description framework properties**: **Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | node |
| Access Type | Get |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-DFProperties-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Examples-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Begin -->
###### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action/Type
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-OmaUri-Begin -->
```Device
./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action/Type
```
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-OmaUri-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Description-Begin -->
<!-- Description-Source-DDF -->
Specifies the action the rule enforces:
0 - Block
1 - Allow.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Description-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Editable-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value | | Property name | Property value |
|:--|:--| |:--|:--|
| Format | int | | Format | int |
| Access Type | Get, Replace | | Access Type | Get, Replace |
| Default Value | 1 | | Default Value | 1 |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-DFProperties-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-DFProperties-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-AllowedValues-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-AllowedValues-Begin -->
**Allowed values**: **Allowed values**:
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| 0 | Block. | | 0 | Block. |
| 1 (Default) | Allow. | | 1 (Default) | Allow. |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-AllowedValues-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-AllowedValues-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Examples-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. --> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-Examples-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Examples-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Type-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-Begin -->
##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Direction ##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Direction
@ -3212,7 +3167,7 @@ Specifies the action the rule enforces:
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-Description-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Comma separated list. The rule is enabled based on the traffic direction as following. The rule is enabled based on the traffic direction as following.
IN - the rule applies to inbound traffic. IN - the rule applies to inbound traffic.
OUT - the rule applies to outbound traffic. OUT - the rule applies to outbound traffic.
@ -3385,6 +3340,45 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalPortRanges-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalPortRanges-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Begin -->
##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-OmaUri-Begin -->
```Device
./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name
```
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-OmaUri-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Description-Begin -->
<!-- Description-Source-DDF -->
Specifies the friendly name of the Hyper-V Firewall rule.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Description-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Editable-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-DFProperties-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Examples-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Begin -->
##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Priority ##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Priority
@ -3402,7 +3396,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Description-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
0-255 number representing the IANA Internet Protocol (TCP = 6, UDP = 17). If not specified the default is All. This value represents the order of rule enforcement. A lower priority rule is evaluated first. If not specified, block rules are evaluated before allow rules. If priority is configured, it is highly recommended to configure the value for ALL rules to ensure expected evaluation of rules.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Description-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Description-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Editable-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Editable-Begin -->
@ -3416,7 +3410,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the
|:--|:--| |:--|:--|
| Format | int | | Format | int |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-255]` | | Allowed Values | Range: `[0-65535]` |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-DFProperties-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-DFProperties-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Examples-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Examples-Begin -->
@ -3679,255 +3673,6 @@ This field specifies the VM Creator ID that this rule is applicable to. A NULL G
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-VMCreatorId-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-VMCreatorId-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-Begin -->
### MdmStore/HyperVLoopbackRules
<!-- Device-MdmStore-HyperVLoopbackRules-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
<!-- Device-MdmStore-HyperVLoopbackRules-Applicability-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-OmaUri-Begin -->
```Device
./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules
```
<!-- Device-MdmStore-HyperVLoopbackRules-OmaUri-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-Description-Begin -->
<!-- Description-Source-DDF -->
A list of rules controlling loopback traffic through the Windows Firewall. This enforcement is only for traffic from one container to another or to the host device. These rules are all allow rules.
<!-- Device-MdmStore-HyperVLoopbackRules-Description-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MdmStore-HyperVLoopbackRules-Editable-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | node |
| Access Type | Get |
<!-- Device-MdmStore-HyperVLoopbackRules-DFProperties-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MdmStore-HyperVLoopbackRules-Examples-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Begin -->
#### MdmStore/HyperVLoopbackRules/{RuleName}
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Applicability-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-OmaUri-Begin -->
```Device
./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}
```
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-OmaUri-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Description-Begin -->
<!-- Description-Source-DDF -->
Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Description-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Editable-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | node |
| Access Type | Add, Delete, Get, Replace |
| Atomic Required | True |
| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
| Allowed Values | Regular Expression: `^[^|/]*$` |
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DFProperties-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Examples-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Begin -->
##### MdmStore/HyperVLoopbackRules/{RuleName}/DestinationVMCreatorId
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Applicability-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-OmaUri-Begin -->
```Device
./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/DestinationVMCreatorId
```
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-OmaUri-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Description-Begin -->
<!-- Description-Source-DDF -->
This field specifies the VM Creator ID of the destination of traffic that this rule applies to. If not specified, this applies to All.
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Description-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Editable-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` |
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-DFProperties-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-Examples-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-DestinationVMCreatorId-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Begin -->
##### MdmStore/HyperVLoopbackRules/{RuleName}/Enabled
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Applicability-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-OmaUri-Begin -->
```Device
./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/Enabled
```
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-OmaUri-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Description-Begin -->
<!-- Description-Source-DDF -->
Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default.
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Description-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Editable-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | bool |
| Access Type | Get, Replace |
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-DFProperties-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Disabled. |
| 1 | Enabled. |
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-AllowedValues-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-Examples-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-Enabled-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Begin -->
##### MdmStore/HyperVLoopbackRules/{RuleName}/PortRanges
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Applicability-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-OmaUri-Begin -->
```Device
./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/PortRanges
```
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-OmaUri-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Description-Begin -->
<!-- Description-Source-DDF -->
Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Description-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Editable-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Regular Expression: `^[0-9,-]+$` |
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-DFProperties-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-Examples-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-PortRanges-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Begin -->
##### MdmStore/HyperVLoopbackRules/{RuleName}/SourceVMCreatorId
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Applicability-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-OmaUri-Begin -->
```Device
./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/SourceVMCreatorId
```
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-OmaUri-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Description-Begin -->
<!-- Description-Source-DDF -->
This field specifies the VM Creator ID of the source of the traffic that this rule applies to. If not specified, this applies to All.
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Description-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Editable-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` |
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-DFProperties-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-Examples-End -->
<!-- Device-MdmStore-HyperVLoopbackRules-{RuleName}-SourceVMCreatorId-End -->
<!-- Device-MdmStore-HyperVVMSettings-Begin --> <!-- Device-MdmStore-HyperVVMSettings-Begin -->
### MdmStore/HyperVVMSettings ### MdmStore/HyperVVMSettings
@ -4026,7 +3771,7 @@ VM Creator ID that these settings apply to. Valid format is a GUID.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Description-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V firewall. This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V Firewall.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Description-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Description-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Editable-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Editable-Begin -->
@ -4075,7 +3820,7 @@ This value is used as an on/off switch. If this value is true, applicable host f
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-Description-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-Description-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-Description-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-Editable-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-Editable-Begin -->
@ -4125,7 +3870,7 @@ This value is the action that the firewall does by default (and evaluates at the
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-Description-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-Description-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-Description-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-Editable-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-Editable-Begin -->
@ -4213,7 +3958,7 @@ This value is the action that the firewall does by default (and evaluates at the
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Description-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Description-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Description-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Editable-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Editable-Begin -->
@ -4263,7 +4008,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Description-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Description-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Description-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Editable-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Editable-Begin -->
@ -4313,7 +4058,7 @@ This value is the action that the firewall does by default (and evaluates at the
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Description-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Description-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Description-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Editable-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Editable-Begin -->
@ -4363,7 +4108,7 @@ This value is the action that the firewall does by default (and evaluates at the
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Description-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This value is an on/off switch for the firewall and advanced security enforcement. This value is an on/off switch for the Hyper-V Firewall enforcement.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Description-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Description-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Editable-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Editable-Begin -->
@ -4412,7 +4157,7 @@ This value is an on/off switch for the firewall and advanced security enforcemen
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Description-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This value is an on/off switch for the firewall and advanced security enforcement. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Description-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Description-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Editable-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Editable-Begin -->
@ -4434,8 +4179,8 @@ This value is an on/off switch for the firewall and advanced security enforcemen
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| false | Disable Firewall. | | false | Disable Hyper-V Firewall. |
| true (Default) | Enable Firewall. | | true (Default) | Enable Hyper-V Firewall. |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-AllowedValues-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-AllowedValues-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Examples-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Examples-Begin -->
@ -4548,7 +4293,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Description-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Description-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Description-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Editable-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Editable-Begin -->
@ -4598,7 +4343,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Description-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Description-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Description-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Editable-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Editable-Begin -->
@ -4648,7 +4393,7 @@ This value is the action that the firewall does by default (and evaluates at the
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Description-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Description-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Description-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Editable-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Editable-Begin -->
@ -4698,7 +4443,7 @@ This value is the action that the firewall does by default (and evaluates at the
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Description-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This value is an on/off switch for the firewall and advanced security enforcement. This value is an on/off switch for the Hyper-V Firewall enforcement.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Description-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Description-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Editable-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Editable-Begin -->
@ -4785,7 +4530,7 @@ This value is an on/off switch for the firewall and advanced security enforcemen
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Description-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Description-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Description-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Editable-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Editable-Begin -->
@ -4835,7 +4580,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Description-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Description-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Description-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Editable-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Editable-Begin -->
@ -4885,7 +4630,7 @@ This value is the action that the firewall does by default (and evaluates at the
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Description-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Description-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Description-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Editable-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Editable-Begin -->
@ -4935,7 +4680,7 @@ This value is the action that the firewall does by default (and evaluates at the
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Description-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This value is an on/off switch for the firewall and advanced security enforcement. This value is an on/off switch for the Hyper-V Firewall enforcement.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Description-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Description-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Editable-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Editable-Begin -->
@ -4957,8 +4702,8 @@ This value is an on/off switch for the firewall and advanced security enforcemen
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| false | Disable Firewall. | | false | Disable Hyper-V Firewall. |
| true (Default) | Enable Firewall. | | true (Default) | Enable Hyper-V Firewall. |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-AllowedValues-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-AllowedValues-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Examples-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Examples-Begin -->

264
windows/client-management/mdm/firewall-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -2855,7 +2855,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>true</DefaultValue> <DefaultValue>true</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description> <Description>This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description>
<DFFormat> <DFFormat>
<bool /> <bool />
</DFFormat> </DFFormat>
@ -2871,11 +2871,11 @@ The following XML file contains the device description framework (DDF) for the F
<MSFT:AllowedValues ValueType="ENUM"> <MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>false</MSFT:Value> <MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disable Firewall</MSFT:ValueDescription> <MSFT:ValueDescription>Disable Hyper-V Firewall</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>true</MSFT:Value> <MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription> <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
@ -2888,7 +2888,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>0</DefaultValue> <DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description> <Description>This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -2918,7 +2918,7 @@ The following XML file contains the device description framework (DDF) for the F
<MSFT:DependencyAllowedValue ValueType="ENUM"> <MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>true</MSFT:Value> <MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription> <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:DependencyAllowedValue> </MSFT:DependencyAllowedValue>
</MSFT:Dependency> </MSFT:Dependency>
@ -2934,7 +2934,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>1</DefaultValue> <DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description> <Description>This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -2964,7 +2964,7 @@ The following XML file contains the device description framework (DDF) for the F
<MSFT:DependencyAllowedValue ValueType="ENUM"> <MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>true</MSFT:Value> <MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription> <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:DependencyAllowedValue> </MSFT:DependencyAllowedValue>
</MSFT:Dependency> </MSFT:Dependency>
@ -3012,7 +3012,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>true</DefaultValue> <DefaultValue>true</DefaultValue>
<Description>This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V firewall.</Description> <Description>This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V Firewall.</Description>
<DFFormat> <DFFormat>
<bool /> <bool />
</DFFormat> </DFFormat>
@ -3063,7 +3063,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>true</DefaultValue> <DefaultValue>true</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement.</Description> <Description>This value is an on/off switch for the Hyper-V Firewall enforcement.</Description>
<DFFormat> <DFFormat>
<bool /> <bool />
</DFFormat> </DFFormat>
@ -3096,7 +3096,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>0</DefaultValue> <DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description> <Description>This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -3126,7 +3126,7 @@ The following XML file contains the device description framework (DDF) for the F
<MSFT:DependencyAllowedValue ValueType="ENUM"> <MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>true</MSFT:Value> <MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription> <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:DependencyAllowedValue> </MSFT:DependencyAllowedValue>
</MSFT:Dependency> </MSFT:Dependency>
@ -3142,7 +3142,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>1</DefaultValue> <DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description> <Description>This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -3172,7 +3172,7 @@ The following XML file contains the device description framework (DDF) for the F
<MSFT:DependencyAllowedValue ValueType="ENUM"> <MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>true</MSFT:Value> <MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription> <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:DependencyAllowedValue> </MSFT:DependencyAllowedValue>
</MSFT:Dependency> </MSFT:Dependency>
@ -3187,7 +3187,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>true</DefaultValue> <DefaultValue>true</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description> <Description>This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.</Description>
<DFFormat> <DFFormat>
<bool /> <bool />
</DFFormat> </DFFormat>
@ -3217,7 +3217,7 @@ The following XML file contains the device description framework (DDF) for the F
<MSFT:DependencyAllowedValue ValueType="ENUM"> <MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>true</MSFT:Value> <MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription> <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:DependencyAllowedValue> </MSFT:DependencyAllowedValue>
</MSFT:Dependency> </MSFT:Dependency>
@ -3252,7 +3252,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>true</DefaultValue> <DefaultValue>true</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement.</Description> <Description>This value is an on/off switch for the Hyper-V Firewall enforcement.</Description>
<DFFormat> <DFFormat>
<bool /> <bool />
</DFFormat> </DFFormat>
@ -3285,7 +3285,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>0</DefaultValue> <DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description> <Description>This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -3315,7 +3315,7 @@ The following XML file contains the device description framework (DDF) for the F
<MSFT:DependencyAllowedValue ValueType="ENUM"> <MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>true</MSFT:Value> <MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription> <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:DependencyAllowedValue> </MSFT:DependencyAllowedValue>
</MSFT:Dependency> </MSFT:Dependency>
@ -3331,7 +3331,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>1</DefaultValue> <DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description> <Description>This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -3361,7 +3361,7 @@ The following XML file contains the device description framework (DDF) for the F
<MSFT:DependencyAllowedValue ValueType="ENUM"> <MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>true</MSFT:Value> <MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription> <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:DependencyAllowedValue> </MSFT:DependencyAllowedValue>
</MSFT:Dependency> </MSFT:Dependency>
@ -3376,7 +3376,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>true</DefaultValue> <DefaultValue>true</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description> <Description>This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.</Description>
<DFFormat> <DFFormat>
<bool /> <bool />
</DFFormat> </DFFormat>
@ -3406,7 +3406,7 @@ The following XML file contains the device description framework (DDF) for the F
<MSFT:DependencyAllowedValue ValueType="ENUM"> <MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>true</MSFT:Value> <MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription> <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:DependencyAllowedValue> </MSFT:DependencyAllowedValue>
</MSFT:Dependency> </MSFT:Dependency>
@ -3441,7 +3441,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>true</DefaultValue> <DefaultValue>true</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement.</Description> <Description>This value is an on/off switch for the Hyper-V Firewall enforcement.</Description>
<DFFormat> <DFFormat>
<bool /> <bool />
</DFFormat> </DFFormat>
@ -3457,11 +3457,11 @@ The following XML file contains the device description framework (DDF) for the F
<MSFT:AllowedValues ValueType="ENUM"> <MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>false</MSFT:Value> <MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disable Firewall</MSFT:ValueDescription> <MSFT:ValueDescription>Disable Hyper-V Firewall</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>true</MSFT:Value> <MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription> <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
@ -3474,7 +3474,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>0</DefaultValue> <DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description> <Description>This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -3504,7 +3504,7 @@ The following XML file contains the device description framework (DDF) for the F
<MSFT:DependencyAllowedValue ValueType="ENUM"> <MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>true</MSFT:Value> <MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription> <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:DependencyAllowedValue> </MSFT:DependencyAllowedValue>
</MSFT:Dependency> </MSFT:Dependency>
@ -3520,7 +3520,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>1</DefaultValue> <DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description> <Description>This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -3550,7 +3550,7 @@ The following XML file contains the device description framework (DDF) for the F
<MSFT:DependencyAllowedValue ValueType="ENUM"> <MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>true</MSFT:Value> <MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription> <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:DependencyAllowedValue> </MSFT:DependencyAllowedValue>
</MSFT:Dependency> </MSFT:Dependency>
@ -3565,7 +3565,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>true</DefaultValue> <DefaultValue>true</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description> <Description>This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.</Description>
<DFFormat> <DFFormat>
<bool /> <bool />
</DFFormat> </DFFormat>
@ -3595,7 +3595,7 @@ The following XML file contains the device description framework (DDF) for the F
<MSFT:DependencyAllowedValue ValueType="ENUM"> <MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>true</MSFT:Value> <MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription> <MSFT:ValueDescription>Enable Hyper-V Firewall</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:DependencyAllowedValue> </MSFT:DependencyAllowedValue>
</MSFT:Dependency> </MSFT:Dependency>
@ -3818,7 +3818,10 @@ ServiceName</Description>
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.</Description> <Description>
Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP).
</Description>
<DFFormat> <DFFormat>
<chr /> <chr />
</DFFormat> </DFFormat>
@ -3846,7 +3849,10 @@ ServiceName</Description>
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description> Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.</Description> <Description>
Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP).
</Description>
<DFFormat> <DFFormat>
<chr /> <chr />
</DFFormat> </DFFormat>
@ -3878,6 +3884,8 @@ ServiceName</Description>
String value. Multiple ICMP type+code pairs can be included in the string by separating each value with a ",". If more than one ICMP type+code pair is specified, the strings must be separated by a comma. String value. Multiple ICMP type+code pairs can be included in the string by separating each value with a ",". If more than one ICMP type+code pair is specified, the strings must be separated by a comma.
To specify all ICMP types and codes, use the "*" character. For specific ICMP types and codes, use the ":" to separate the type and code. To specify all ICMP types and codes, use the "*" character. For specific ICMP types and codes, use the ":" to separate the type and code.
The following are valid examples: 3:4 or 1:*. The "*" character can be used to represent any code. The "*" character can't be used to specify any type, examples such as "*:4" or "*:*" are invalid. The following are valid examples: 3:4 or 1:*. The "*" character can be used to represent any code. The "*" character can't be used to specify any type, examples such as "*:4" or "*:*" are invalid.
When setting this field in a firewall rule, the protocol field must also be set, to either 1 (ICMP) or 58 (IPv6-ICMP).
</Description> </Description>
<DFFormat> <DFFormat>
<chr /> <chr />
@ -3892,7 +3900,7 @@ ServiceName</Description>
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.19043</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.20348</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion> <MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability> </MSFT:Applicability>
<MSFT:AllowedValues ValueType="None"> <MSFT:AllowedValues ValueType="None">
@ -4172,7 +4180,7 @@ If not specified - a new rule is disabled by default.</Description>
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>OUT</DefaultValue> <DefaultValue>OUT</DefaultValue>
<Description>Comma separated list. The rule is enabled based on the traffic direction as following. <Description>The rule is enabled based on the traffic direction as following.
IN - the rule applies to inbound traffic. IN - the rule applies to inbound traffic.
OUT - the rule applies to outbound traffic. OUT - the rule applies to outbound traffic.
@ -4328,7 +4336,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description> Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". </Description> <Description> Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". A PolicyAppId and ServiceName cannot be specified in the same rule. </Description>
<DFFormat> <DFFormat>
<chr /> <chr />
</DFFormat> </DFFormat>
@ -4342,7 +4350,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.19045.2913, 10.0.22621.1635, 10.0.22000.1880</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion> <MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability> </MSFT:Applicability>
<MSFT:AllowedValues ValueType="RegEx"> <MSFT:AllowedValues ValueType="RegEx">
@ -4380,6 +4388,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>Specifies the friendly name of the firewall rule.</Description>
<DFFormat> <DFFormat>
<chr /> <chr />
</DFFormat> </DFFormat>
@ -4457,7 +4466,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>0-255 number representing the IANA Internet Protocol (TCP = 6, UDP = 17). If not specified the default is All.</Description> <Description>This value represents the order of rule enforcement. A lower priority rule is evaluated first. If not specified, block rules are evaluated before allow rules. If priority is configured, it is highly recommended to configure the value for ALL rules to ensure expected evaluation of rules.</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -4471,7 +4480,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="Range"> <MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0-255]</MSFT:Value> <MSFT:Value>[0-65535]</MSFT:Value>
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
@ -4483,7 +4492,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>OUT</DefaultValue> <DefaultValue>OUT</DefaultValue>
<Description>Comma separated list. The rule is enabled based on the traffic direction as following. <Description>The rule is enabled based on the traffic direction as following.
IN - the rule applies to inbound traffic. IN - the rule applies to inbound traffic.
OUT - the rule applies to outbound traffic. OUT - the rule applies to outbound traffic.
@ -4692,26 +4701,6 @@ An IPv6 address range in the format of "start address - end address" with no spa
</Node> </Node>
<Node> <Node>
<NodeName>Action</NodeName> <NodeName>Action</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Specifies the action for the rule.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>Type</NodeName>
<DFProperties> <DFProperties>
<AccessType> <AccessType>
<Get /> <Get />
@ -4745,7 +4734,6 @@ An IPv6 address range in the format of "start address - end address" with no spa
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
</Node>
<Node> <Node>
<NodeName>Enabled</NodeName> <NodeName>Enabled</NodeName>
<DFProperties> <DFProperties>
@ -4785,7 +4773,7 @@ If not specified - a new rule is disabled by default.</Description>
<AccessType> <AccessType>
<Get /> <Get />
</AccessType> </AccessType>
<Description>Provides information about the specific verrsion of the rule in deployment for monitoring purposes.</Description> <Description>Provides information about the specific version of the rule in deployment for monitoring purposes.</Description>
<DFFormat> <DFFormat>
<chr /> <chr />
</DFFormat> </DFFormat>
@ -4840,31 +4828,8 @@ If not specified - a new rule is disabled by default.</Description>
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
</Node>
</Node>
<Node> <Node>
<NodeName>HyperVLoopbackRules</NodeName> <NodeName>Name</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>A list of rules controlling loopback traffic through the Windows Firewall. This enforcement is only for traffic from one container to another or to the host device. These rules are all allow rules.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>
</NodeName>
<DFProperties> <DFProperties>
<AccessType> <AccessType>
<Add /> <Add />
@ -4872,43 +4837,12 @@ If not specified - a new rule is disabled by default.</Description>
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).</Description> <Description>Specifies the friendly name of the Hyper-V Firewall rule.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>RuleName</DFTitle>
<DFType>
<DDFName />
</DFType>
<MSFT:DynamicNodeNaming>
<MSFT:ServerGeneratedUniqueIdentifier />
</MSFT:DynamicNodeNaming>
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>^[^|/]*$</MSFT:Value>
</MSFT:AllowedValues>
<MSFT:AtomicRequired />
</DFProperties>
<Node>
<NodeName>SourceVMCreatorId</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This field specifies the VM Creator ID of the source of the traffic that this rule applies to. If not specified, this applies to All.</Description>
<DFFormat> <DFFormat>
<chr /> <chr />
</DFFormat> </DFFormat>
<Occurrence> <Occurrence>
<ZeroOrOne /> <One />
</Occurrence> </Occurrence>
<Scope> <Scope>
<Dynamic /> <Dynamic />
@ -4916,96 +4850,6 @@ If not specified - a new rule is disabled by default.</Description>
<DFType> <DFType>
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DestinationVMCreatorId</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This field specifies the VM Creator ID of the destination of traffic that this rule applies to. If not specified, this applies to All.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PortRanges</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>^[0-9,-]+$</MSFT:Value>
<MSFT:List Delimiter="," />
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>Enabled</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
</Node> </Node>

7
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -2350,6 +2350,11 @@ This article lists the ADMX-backed policies in Policy CSP.
- [TurnOffDataExecutionPreventionForExplorer](policy-csp-fileexplorer.md) - [TurnOffDataExecutionPreventionForExplorer](policy-csp-fileexplorer.md)
- [TurnOffHeapTerminationOnCorruption](policy-csp-fileexplorer.md) - [TurnOffHeapTerminationOnCorruption](policy-csp-fileexplorer.md)
## FileSystem
- [EnableDevDrive](policy-csp-filesystem.md)
- [DevDriveAttachPolicy](policy-csp-filesystem.md)
## InternetExplorer ## InternetExplorer
- [AddSearchProvider](policy-csp-internetexplorer.md) - [AddSearchProvider](policy-csp-internetexplorer.md)

13
windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
View File

@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -340,9 +340,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [ClearTextPassword](policy-csp-devicelock.md) - [ClearTextPassword](policy-csp-devicelock.md)
- [PasswordComplexity](policy-csp-devicelock.md) - [PasswordComplexity](policy-csp-devicelock.md)
- [PasswordHistorySize](policy-csp-devicelock.md) - [PasswordHistorySize](policy-csp-devicelock.md)
- [AccountLockoutThreshold](policy-csp-devicelock.md)
- [AccountLockoutDuration](policy-csp-devicelock.md)
- [ResetAccountLockoutCounterAfter](policy-csp-devicelock.md)
- [AllowAdministratorLockout](policy-csp-devicelock.md) - [AllowAdministratorLockout](policy-csp-devicelock.md)
## Display ## Display
@ -689,7 +686,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [StartLayout](policy-csp-start.md) - [StartLayout](policy-csp-start.md)
- [ConfigureStartPins](policy-csp-start.md) - [ConfigureStartPins](policy-csp-start.md)
- [HideRecommendedSection](policy-csp-start.md) - [HideRecommendedSection](policy-csp-start.md)
- [HideRecoPersonalizedSites](policy-csp-start.md) - [HideRecommendedPersonalizedSites](policy-csp-start.md)
- [HideTaskViewButton](policy-csp-start.md) - [HideTaskViewButton](policy-csp-start.md)
- [DisableControlCenter](policy-csp-start.md) - [DisableControlCenter](policy-csp-start.md)
- [ForceStartSize](policy-csp-start.md) - [ForceStartSize](policy-csp-start.md)
@ -700,7 +697,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [StartLayout](policy-csp-start.md) - [StartLayout](policy-csp-start.md)
- [ConfigureStartPins](policy-csp-start.md) - [ConfigureStartPins](policy-csp-start.md)
- [HideRecommendedSection](policy-csp-start.md) - [HideRecommendedSection](policy-csp-start.md)
- [HideRecoPersonalizedSites](policy-csp-start.md) - [HideRecommendedPersonalizedSites](policy-csp-start.md)
- [SimplifyQuickSettings](policy-csp-start.md) - [SimplifyQuickSettings](policy-csp-start.md)
- [DisableEditingQuickSettings](policy-csp-start.md) - [DisableEditingQuickSettings](policy-csp-start.md)
- [HideTaskViewButton](policy-csp-start.md) - [HideTaskViewButton](policy-csp-start.md)
@ -884,7 +881,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [DenyLogOnAsBatchJob](policy-csp-userrights.md) - [DenyLogOnAsBatchJob](policy-csp-userrights.md)
- [LogOnAsService](policy-csp-userrights.md) - [LogOnAsService](policy-csp-userrights.md)
- [IncreaseProcessWorkingSet](policy-csp-userrights.md) - [IncreaseProcessWorkingSet](policy-csp-userrights.md)
- [DenyServiceLogonRight](policy-csp-userrights.md) - [DenyLogOnAsService](policy-csp-userrights.md)
## VirtualizationBasedTechnology ## VirtualizationBasedTechnology
@ -897,7 +894,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [NotifyMalicious](policy-csp-webthreatdefense.md) - [NotifyMalicious](policy-csp-webthreatdefense.md)
- [NotifyPasswordReuse](policy-csp-webthreatdefense.md) - [NotifyPasswordReuse](policy-csp-webthreatdefense.md)
- [NotifyUnsafeApp](policy-csp-webthreatdefense.md) - [NotifyUnsafeApp](policy-csp-webthreatdefense.md)
- [CaptureThreatWindow](policy-csp-webthreatdefense.md) - [AutomaticDataCollection](policy-csp-webthreatdefense.md)
## Wifi ## Wifi

3
windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
View File

@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Windows 10 Team
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/28/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -257,6 +257,7 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
## Start ## Start
- [HideRecommendedPersonalizedSites](policy-csp-start.md#hiderecommendedpersonalizedsites)
- [StartLayout](policy-csp-start.md#startlayout) - [StartLayout](policy-csp-start.md#startlayout)
## System ## System

3
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/28/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -1120,6 +1120,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
- [ExploitGuard](policy-csp-exploitguard.md) - [ExploitGuard](policy-csp-exploitguard.md)
- [FederatedAuthentication](policy-csp-federatedauthentication.md) - [FederatedAuthentication](policy-csp-federatedauthentication.md)
- [FileExplorer](policy-csp-fileexplorer.md) - [FileExplorer](policy-csp-fileexplorer.md)
- [FileSystem](policy-csp-filesystem.md)
- [Games](policy-csp-games.md) - [Games](policy-csp-games.md)
- [Handwriting](policy-csp-handwriting.md) - [Handwriting](policy-csp-handwriting.md)
- [HumanPresence](policy-csp-humanpresence.md) - [HumanPresence](policy-csp-humanpresence.md)

4
windows/client-management/mdm/policy-csp-admx-sharedfolders.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_SharedFolders Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -31,7 +31,7 @@ ms.topic: reference
<!-- PublishDfsRoots-Applicability-Begin --> <!-- PublishDfsRoots-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | | :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- PublishDfsRoots-Applicability-End --> <!-- PublishDfsRoots-Applicability-End -->
<!-- PublishDfsRoots-OmaUri-Begin --> <!-- PublishDfsRoots-OmaUri-Begin -->

161
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DeviceLock Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -30,105 +30,44 @@ ms.topic: reference
> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For more information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types). > The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For more information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types).
<!-- DeviceLock-Editable-End --> <!-- DeviceLock-Editable-End -->
<!-- AccountLockoutDuration-Begin --> <!-- AccountLockoutPolicy-Begin -->
## AccountLockoutDuration ## AccountLockoutPolicy
<!-- AccountLockoutDuration-Applicability-Begin --> <!-- AccountLockoutPolicy-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | | :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- AccountLockoutDuration-Applicability-End --> <!-- AccountLockoutPolicy-Applicability-End -->
<!-- AccountLockoutDuration-OmaUri-Begin --> <!-- AccountLockoutPolicy-OmaUri-Begin -->
```Device ```Device
./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutDuration ./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutPolicy
``` ```
<!-- AccountLockoutDuration-OmaUri-End --> <!-- AccountLockoutPolicy-OmaUri-End -->
<!-- AccountLockoutDuration-Description-Begin --> <!-- AccountLockoutPolicy-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Account lockout duration This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. Account lockout threshold - This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts. Default: 0 Account lockout duration - This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. Reset account lockout counter after - This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
<!-- AccountLockoutDuration-Description-End --> <!-- AccountLockoutPolicy-Description-End -->
<!-- AccountLockoutDuration-Editable-Begin --> <!-- AccountLockoutPolicy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AccountLockoutDuration-Editable-End --> <!-- AccountLockoutPolicy-Editable-End -->
<!-- AccountLockoutDuration-DFProperties-Begin --> <!-- AccountLockoutPolicy-DFProperties-Begin -->
**Description framework properties**: **Description framework properties**:
| Property name | Property value | | Property name | Property value |
|:--|:--| |:--|:--|
| Format | int | | Format | chr (string) |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-99999]` | <!-- AccountLockoutPolicy-DFProperties-End -->
| Default Value | 0 |
<!-- AccountLockoutDuration-DFProperties-End -->
<!-- AccountLockoutDuration-GpMapping-Begin --> <!-- AccountLockoutPolicy-Examples-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Account lockout duration |
| Path | Windows Settings > Security Settings > Account Policies > Account Lockout Policy |
<!-- AccountLockoutDuration-GpMapping-End -->
<!-- AccountLockoutDuration-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. --> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AccountLockoutDuration-Examples-End --> <!-- AccountLockoutPolicy-Examples-End -->
<!-- AccountLockoutDuration-End --> <!-- AccountLockoutPolicy-End -->
<!-- AccountLockoutThreshold-Begin -->
## AccountLockoutThreshold
<!-- AccountLockoutThreshold-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- AccountLockoutThreshold-Applicability-End -->
<!-- AccountLockoutThreshold-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutThreshold
```
<!-- AccountLockoutThreshold-OmaUri-End -->
<!-- AccountLockoutThreshold-Description-Begin -->
<!-- Description-Source-DDF -->
Account lockout threshold - This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts. Default: 0.
<!-- AccountLockoutThreshold-Description-End -->
<!-- AccountLockoutThreshold-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AccountLockoutThreshold-Editable-End -->
<!-- AccountLockoutThreshold-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-10]` |
| Default Value | 0 |
<!-- AccountLockoutThreshold-DFProperties-End -->
<!-- AccountLockoutThreshold-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Account lockout threshold |
| Path | Windows Settings > Security Settings > Account Policies > Account Lockout Policy |
<!-- AccountLockoutThreshold-GpMapping-End -->
<!-- AccountLockoutThreshold-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AccountLockoutThreshold-Examples-End -->
<!-- AccountLockoutThreshold-End -->
<!-- AllowAdministratorLockout-Begin --> <!-- AllowAdministratorLockout-Begin -->
## AllowAdministratorLockout ## AllowAdministratorLockout
@ -162,7 +101,7 @@ Allow Administrator account lockout This security setting determines whether the
| Format | int | | Format | int |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` | | Allowed Values | Range: `[0-1]` |
| Default Value | 0 | | Default Value | 1 |
<!-- AllowAdministratorLockout-DFProperties-End --> <!-- AllowAdministratorLockout-DFProperties-End -->
<!-- AllowAdministratorLockout-GpMapping-Begin --> <!-- AllowAdministratorLockout-GpMapping-Begin -->
@ -1165,11 +1104,11 @@ Complexity requirements are enforced when passwords are changed or created.
<!-- PasswordHistorySize-Description-Begin --> <!-- PasswordHistorySize-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Minimum password length Enforce password history
This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required. This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords are not reused continually. Default: 24 on domain controllers. 0 on stand-alone servers.
> [!NOTE] > [!NOTE]
> By default, member computers follow the configuration of their domain controllers. Default: 7 on domain controllers. 0 on stand-alone servers. Configuring this setting than 14 may affect compatibility with clients, services, and applications. Microsoft recommends that you only configure this setting larger than 14 after using the Minimum password length audit setting to test for potential incompatibilities at the new setting. > By default, member computers follow the configuration of their domain controllers. To maintain the effectiveness of the password history, do not allow passwords to be changed immediately after they were just changed by also enabling the Minimum password age security policy setting. For information about the minimum password age security policy setting, see Minimum password age.
<!-- PasswordHistorySize-Description-End --> <!-- PasswordHistorySize-Description-End -->
<!-- PasswordHistorySize-Editable-Begin --> <!-- PasswordHistorySize-Editable-Begin -->
@ -1184,7 +1123,7 @@ This security setting determines the least number of characters that a password
| Format | int | | Format | int |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-24]` | | Allowed Values | Range: `[0-24]` |
| Default Value | 7 | | Default Value | 24 |
<!-- PasswordHistorySize-DFProperties-End --> <!-- PasswordHistorySize-DFProperties-End -->
<!-- PasswordHistorySize-GpMapping-Begin --> <!-- PasswordHistorySize-GpMapping-Begin -->
@ -1192,7 +1131,7 @@ This security setting determines the least number of characters that a password
| Name | Value | | Name | Value |
|:--|:--| |:--|:--|
| Name | Minimum password length | | Name | Enforce password history |
| Path | Windows Settings > Security Settings > Account Policies > Password Policy | | Path | Windows Settings > Security Settings > Account Policies > Password Policy |
<!-- PasswordHistorySize-GpMapping-End --> <!-- PasswordHistorySize-GpMapping-End -->
@ -1322,56 +1261,6 @@ If you enable this setting, users will no longer be able to modify slide show se
<!-- PreventLockScreenSlideShow-End --> <!-- PreventLockScreenSlideShow-End -->
<!-- ResetAccountLockoutCounterAfter-Begin -->
## ResetAccountLockoutCounterAfter
<!-- ResetAccountLockoutCounterAfter-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- ResetAccountLockoutCounterAfter-Applicability-End -->
<!-- ResetAccountLockoutCounterAfter-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceLock/ResetAccountLockoutCounterAfter
```
<!-- ResetAccountLockoutCounterAfter-OmaUri-End -->
<!-- ResetAccountLockoutCounterAfter-Description-Begin -->
<!-- Description-Source-DDF -->
Reset account lockout counter after - This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
<!-- ResetAccountLockoutCounterAfter-Description-End -->
<!-- ResetAccountLockoutCounterAfter-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ResetAccountLockoutCounterAfter-Editable-End -->
<!-- ResetAccountLockoutCounterAfter-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[1-99999]` |
| Default Value | 0 |
<!-- ResetAccountLockoutCounterAfter-DFProperties-End -->
<!-- ResetAccountLockoutCounterAfter-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Reset account lockout counter after |
| Path | Windows Settings > Security Settings > Account Policies > Account Lockout Policy |
<!-- ResetAccountLockoutCounterAfter-GpMapping-End -->
<!-- ResetAccountLockoutCounterAfter-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ResetAccountLockoutCounterAfter-Examples-End -->
<!-- ResetAccountLockoutCounterAfter-End -->
<!-- ScreenTimeoutWhileLocked-Begin --> <!-- ScreenTimeoutWhileLocked-Begin -->
## ScreenTimeoutWhileLocked ## ScreenTimeoutWhileLocked

126
windows/client-management/mdm/policy-csp-start.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Start Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -1424,6 +1424,68 @@ To validate this policy, do the following steps:
<!-- HideRecentlyAddedApps-End --> <!-- HideRecentlyAddedApps-End -->
<!-- HideRecommendedPersonalizedSites-Begin -->
## HideRecommendedPersonalizedSites
<!-- HideRecommendedPersonalizedSites-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | <!-- Not-Found --> |
<!-- HideRecommendedPersonalizedSites-Applicability-End -->
<!-- HideRecommendedPersonalizedSites-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/Start/HideRecommendedPersonalizedSites
```
```Device
./Device/Vendor/MSFT/Policy/Config/Start/HideRecommendedPersonalizedSites
```
<!-- HideRecommendedPersonalizedSites-OmaUri-End -->
<!-- HideRecommendedPersonalizedSites-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to hide the personalized websites in the recommended section of the Start Menu. If you enable this policy setting, the Start Menu will no longer show personalized website recommendations in the recommended section of the start menu.
<!-- HideRecommendedPersonalizedSites-Description-End -->
<!-- HideRecommendedPersonalizedSites-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- HideRecommendedPersonalizedSites-Editable-End -->
<!-- HideRecommendedPersonalizedSites-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- HideRecommendedPersonalizedSites-DFProperties-End -->
<!-- HideRecommendedPersonalizedSites-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Personalized Website Recommendations shown. |
| 1 | Personalized Website Recommendations hidden. |
<!-- HideRecommendedPersonalizedSites-AllowedValues-End -->
<!-- HideRecommendedPersonalizedSites-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | HideRecommendedPersonalizedSites |
| Path | StartMenu > AT > StartMenu |
<!-- HideRecommendedPersonalizedSites-GpMapping-End -->
<!-- HideRecommendedPersonalizedSites-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- HideRecommendedPersonalizedSites-Examples-End -->
<!-- HideRecommendedPersonalizedSites-End -->
<!-- HideRecommendedSection-Begin --> <!-- HideRecommendedSection-Begin -->
## HideRecommendedSection ## HideRecommendedSection
@ -1493,68 +1555,6 @@ If you enable this policy setting, the Start Menu will no longer show the sectio
<!-- HideRecommendedSection-End --> <!-- HideRecommendedSection-End -->
<!-- HideRecoPersonalizedSites-Begin -->
## HideRecoPersonalizedSites
<!-- HideRecoPersonalizedSites-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | <!-- Not-Found --> |
<!-- HideRecoPersonalizedSites-Applicability-End -->
<!-- HideRecoPersonalizedSites-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/Start/HideRecoPersonalizedSites
```
```Device
./Device/Vendor/MSFT/Policy/Config/Start/HideRecoPersonalizedSites
```
<!-- HideRecoPersonalizedSites-OmaUri-End -->
<!-- HideRecoPersonalizedSites-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to hide the personalized websites in the recommended section of the Start Menu. If you enable this policy setting, the Start Menu will no longer show personalized website recommendations in the recommended section of the start menu.
<!-- HideRecoPersonalizedSites-Description-End -->
<!-- HideRecoPersonalizedSites-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- HideRecoPersonalizedSites-Editable-End -->
<!-- HideRecoPersonalizedSites-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- HideRecoPersonalizedSites-DFProperties-End -->
<!-- HideRecoPersonalizedSites-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Personalized Website Recommendations shown. |
| 1 | Personalized Website Recommendations hidden. |
<!-- HideRecoPersonalizedSites-AllowedValues-End -->
<!-- HideRecoPersonalizedSites-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | HideRecoPersonalizedSites |
| Path | StartMenu > AT > StartMenu |
<!-- HideRecoPersonalizedSites-GpMapping-End -->
<!-- HideRecoPersonalizedSites-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- HideRecoPersonalizedSites-Examples-End -->
<!-- HideRecoPersonalizedSites-End -->
<!-- HideRestart-Begin --> <!-- HideRestart-Begin -->
## HideRestart ## HideRestart

4
windows/client-management/mdm/policy-csp-stickers.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Stickers Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -26,7 +26,7 @@ ms.topic: reference
<!-- EnableStickers-Applicability-Begin --> <!-- EnableStickers-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | | :heavy_check_mark: Device <br> :x: User | :x: Home <br> :x: Pro <br> :x: Enterprise <br> :x: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- EnableStickers-Applicability-End --> <!-- EnableStickers-Applicability-End -->
<!-- EnableStickers-OmaUri-Begin --> <!-- EnableStickers-OmaUri-Begin -->

9
windows/client-management/mdm/policy-csp-textinput.md
View File

@ -4,7 +4,7 @@ description: Learn more about the TextInput Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -949,7 +949,7 @@ This Policy setting applies only to Microsoft Traditional Chinese IME.
<!-- EnableTouchKeyboardAutoInvokeInDesktopMode-Description-Begin --> <!-- EnableTouchKeyboardAutoInvokeInDesktopMode-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode. The touch keyboard is enabled in both the tablet and desktop mode. In the tablet mode, when you touch a textbox, the touch keyboard automatically shows up. But in the desktop mode, by default, the touch keyboard does not automatically show up when you touch a textbox. The user must click the system tray to enable the touch keyboard. When this policy is enabled, the touch keyboard automatically shows up when the device is in the desktop mode. This policy corresponds to Show the touch keyboard when not in tablet mode and there's no keyboard attached in the Settings app. This policy allows the IT admin to control whether the touch keyboard should show up on tapping an edit control. By default, when you tap a textbox, the touch keyboard automatically shows up when there's no keyboard attached. When this policy is enabled, the touch keyboard can be shown or suppressed regardless of the hardware keyboard availability. This policy corresponds to Show the touch keyboard setting in the Settings app.
<!-- EnableTouchKeyboardAutoInvokeInDesktopMode-Description-End --> <!-- EnableTouchKeyboardAutoInvokeInDesktopMode-Description-End -->
<!-- EnableTouchKeyboardAutoInvokeInDesktopMode-Editable-Begin --> <!-- EnableTouchKeyboardAutoInvokeInDesktopMode-Editable-Begin -->
@ -971,8 +971,9 @@ This policy allows the IT admin to enable the touch keyboard to automatically sh
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| 0 (Default) | Disabled. | | 0 (Default) | Never. |
| 1 | Enabled. | | 1 | When no keyboard attached. |
| 2 | Always. |
<!-- EnableTouchKeyboardAutoInvokeInDesktopMode-AllowedValues-End --> <!-- EnableTouchKeyboardAutoInvokeInDesktopMode-AllowedValues-End -->
<!-- EnableTouchKeyboardAutoInvokeInDesktopMode-Examples-Begin --> <!-- EnableTouchKeyboardAutoInvokeInDesktopMode-Examples-Begin -->

106
windows/client-management/mdm/policy-csp-userrights.md
View File

@ -4,7 +4,7 @@ description: Learn more about the UserRights Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -980,6 +980,58 @@ This security setting determines which accounts are prevented from being able to
<!-- DenyLogOnAsBatchJob-End --> <!-- DenyLogOnAsBatchJob-End -->
<!-- DenyLogOnAsService-Begin -->
## DenyLogOnAsService
<!-- DenyLogOnAsService-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- DenyLogOnAsService-Applicability-End -->
<!-- DenyLogOnAsService-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/UserRights/DenyLogOnAsService
```
<!-- DenyLogOnAsService-OmaUri-End -->
<!-- DenyLogOnAsService-Description-Begin -->
<!-- Description-Source-DDF -->
Deny log on as a service -This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies.
> [!NOTE]
> This security setting does not apply to the System, Local Service, or Network Service accounts. Default: None.
<!-- DenyLogOnAsService-Description-End -->
<!-- DenyLogOnAsService-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DenyLogOnAsService-Editable-End -->
<!-- DenyLogOnAsService-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `0xF000`) |
<!-- DenyLogOnAsService-DFProperties-End -->
<!-- DenyLogOnAsService-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Deny log on as a service |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
<!-- DenyLogOnAsService-GpMapping-End -->
<!-- DenyLogOnAsService-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DenyLogOnAsService-Examples-End -->
<!-- DenyLogOnAsService-End -->
<!-- DenyRemoteDesktopServicesLogOn-Begin --> <!-- DenyRemoteDesktopServicesLogOn-Begin -->
## DenyRemoteDesktopServicesLogOn ## DenyRemoteDesktopServicesLogOn
@ -1029,58 +1081,6 @@ This user right determines which users and groups are prohibited from logging on
<!-- DenyRemoteDesktopServicesLogOn-End --> <!-- DenyRemoteDesktopServicesLogOn-End -->
<!-- DenyServiceLogonRight-Begin -->
## DenyServiceLogonRight
<!-- DenyServiceLogonRight-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- DenyServiceLogonRight-Applicability-End -->
<!-- DenyServiceLogonRight-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/UserRights/DenyServiceLogonRight
```
<!-- DenyServiceLogonRight-OmaUri-End -->
<!-- DenyServiceLogonRight-Description-Begin -->
<!-- Description-Source-DDF -->
This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies.
> [!NOTE]
> This security setting does not apply to the System, Local Service, or Network Service accounts. Default: None.
<!-- DenyServiceLogonRight-Description-End -->
<!-- DenyServiceLogonRight-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DenyServiceLogonRight-Editable-End -->
<!-- DenyServiceLogonRight-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `0xF000`) |
<!-- DenyServiceLogonRight-DFProperties-End -->
<!-- DenyServiceLogonRight-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Deny log on as a service |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
<!-- DenyServiceLogonRight-GpMapping-End -->
<!-- DenyServiceLogonRight-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DenyServiceLogonRight-Examples-End -->
<!-- DenyServiceLogonRight-End -->
<!-- EnableDelegation-Begin --> <!-- EnableDelegation-Begin -->
## EnableDelegation ## EnableDelegation

52
windows/client-management/mdm/policy-csp-webthreatdefense.md
View File

@ -4,7 +4,7 @@ description: Learn more about the WebThreatDefense Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -25,63 +25,63 @@ ms.topic: reference
> In Microsoft Intune, this CSP is listed under the **Enhanced Phishing Protection** category. > In Microsoft Intune, this CSP is listed under the **Enhanced Phishing Protection** category.
<!-- WebThreatDefense-Editable-End --> <!-- WebThreatDefense-Editable-End -->
<!-- CaptureThreatWindow-Begin --> <!-- AutomaticDataCollection-Begin -->
## CaptureThreatWindow ## AutomaticDataCollection
<!-- CaptureThreatWindow-Applicability-Begin --> <!-- AutomaticDataCollection-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | | :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- CaptureThreatWindow-Applicability-End --> <!-- AutomaticDataCollection-Applicability-End -->
<!-- CaptureThreatWindow-OmaUri-Begin --> <!-- AutomaticDataCollection-OmaUri-Begin -->
```Device ```Device
./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/CaptureThreatWindow ./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection
``` ```
<!-- CaptureThreatWindow-OmaUri-End --> <!-- AutomaticDataCollection-OmaUri-End -->
<!-- CaptureThreatWindow-Description-Begin --> <!-- AutomaticDataCollection-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Configures Enhanced Phishing Protection notifications to allow to capture the suspicious window on client machines for further threat analysis. Automatically collect website or app content when additional analysis is needed to help identify security threats.
<!-- CaptureThreatWindow-Description-End --> <!-- AutomaticDataCollection-Description-End -->
<!-- CaptureThreatWindow-Editable-Begin --> <!-- AutomaticDataCollection-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CaptureThreatWindow-Editable-End --> <!-- AutomaticDataCollection-Editable-End -->
<!-- CaptureThreatWindow-DFProperties-Begin --> <!-- AutomaticDataCollection-DFProperties-Begin -->
**Description framework properties**: **Description framework properties**:
| Property name | Property value | | Property name | Property value |
|:--|:--| |:--|:--|
| Format | int | | Format | int |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Default Value | 1 | | Default Value | 0 |
<!-- CaptureThreatWindow-DFProperties-End --> <!-- AutomaticDataCollection-DFProperties-End -->
<!-- CaptureThreatWindow-AllowedValues-Begin --> <!-- AutomaticDataCollection-AllowedValues-Begin -->
**Allowed values**: **Allowed values**:
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| 0 | Disabled. | | 0 (Default) | Disabled. |
| 1 (Default) | Enabled. | | 1 | Enabled. |
<!-- CaptureThreatWindow-AllowedValues-End --> <!-- AutomaticDataCollection-AllowedValues-End -->
<!-- CaptureThreatWindow-GpMapping-Begin --> <!-- AutomaticDataCollection-GpMapping-Begin -->
**Group policy mapping**: **Group policy mapping**:
| Name | Value | | Name | Value |
|:--|:--| |:--|:--|
| Name | CaptureThreatWindow | | Name | AutomaticDataCollection |
| Path | WebThreatDefense > AT > WindowsComponents > WebThreatDefense | | Path | WebThreatDefense > AT > WindowsComponents > WebThreatDefense |
<!-- CaptureThreatWindow-GpMapping-End --> <!-- AutomaticDataCollection-GpMapping-End -->
<!-- CaptureThreatWindow-Examples-Begin --> <!-- AutomaticDataCollection-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. --> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- CaptureThreatWindow-Examples-End --> <!-- AutomaticDataCollection-Examples-End -->
<!-- CaptureThreatWindow-End --> <!-- AutomaticDataCollection-End -->
<!-- NotifyMalicious-Begin --> <!-- NotifyMalicious-Begin -->
## NotifyMalicious ## NotifyMalicious

103
windows/client-management/mdm/policy-csp-wifi.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Wifi Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -228,6 +228,105 @@ Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
<!-- AllowManualWiFiConfiguration-End --> <!-- AllowManualWiFiConfiguration-End -->
<!-- AllowWFAQosManagementDSCPToUPMapping-Begin -->
## AllowWFAQosManagementDSCPToUPMapping
<!-- AllowWFAQosManagementDSCPToUPMapping-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | <!-- Not-Found --> |
<!-- AllowWFAQosManagementDSCPToUPMapping-Applicability-End -->
<!-- AllowWFAQosManagementDSCPToUPMapping-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Wifi/AllowWFAQosManagementDSCPToUPMapping
```
<!-- AllowWFAQosManagementDSCPToUPMapping-OmaUri-End -->
<!-- AllowWFAQosManagementDSCPToUPMapping-Description-Begin -->
<!-- Description-Source-DDF -->
Allow or disallow the device to use the DSCP to UP Mapping feature from the Wi-Fi Alliance QOS Management Suite 2020. This policy requires a reboot to take effect.
<!-- AllowWFAQosManagementDSCPToUPMapping-Description-End -->
<!-- AllowWFAQosManagementDSCPToUPMapping-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowWFAQosManagementDSCPToUPMapping-Editable-End -->
<!-- AllowWFAQosManagementDSCPToUPMapping-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 2 |
<!-- AllowWFAQosManagementDSCPToUPMapping-DFProperties-End -->
<!-- AllowWFAQosManagementDSCPToUPMapping-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | DSCP to UP Mapping will be disabled. |
| 1 | DSCP to UP Mapping will be enabled. |
| 2 (Default) | DSCP to UP Mapping will be enabled only if it is enabled in the network profile. |
<!-- AllowWFAQosManagementDSCPToUPMapping-AllowedValues-End -->
<!-- AllowWFAQosManagementDSCPToUPMapping-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowWFAQosManagementDSCPToUPMapping-Examples-End -->
<!-- AllowWFAQosManagementDSCPToUPMapping-End -->
<!-- AllowWFAQosManagementMSCS-Begin -->
## AllowWFAQosManagementMSCS
<!-- AllowWFAQosManagementMSCS-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | <!-- Not-Found --> |
<!-- AllowWFAQosManagementMSCS-Applicability-End -->
<!-- AllowWFAQosManagementMSCS-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Wifi/AllowWFAQosManagementMSCS
```
<!-- AllowWFAQosManagementMSCS-OmaUri-End -->
<!-- AllowWFAQosManagementMSCS-Description-Begin -->
<!-- Description-Source-DDF -->
Allow or disallow the device to automatically request to enable Mirrored Stream Classification Service when connecting to a MSCS capable network. This is a Quality of Service feature associated with Wi-Fi Alliance QoS Management Suite 2020. This policy requires a reboot to take effect.
<!-- AllowWFAQosManagementMSCS-Description-End -->
<!-- AllowWFAQosManagementMSCS-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowWFAQosManagementMSCS-Editable-End -->
<!-- AllowWFAQosManagementMSCS-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- AllowWFAQosManagementMSCS-DFProperties-End -->
<!-- AllowWFAQosManagementMSCS-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | The device will not automatically request to enable MSCS when connecting to a MSCS capable network. |
| 1 (Default) | The device will automatically request to enable MSCS when connecting to a MSCS capable network. |
<!-- AllowWFAQosManagementMSCS-AllowedValues-End -->
<!-- AllowWFAQosManagementMSCS-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowWFAQosManagementMSCS-Examples-End -->
<!-- AllowWFAQosManagementMSCS-End -->
<!-- AllowWiFi-Begin --> <!-- AllowWiFi-Begin -->
## AllowWiFi ## AllowWiFi
@ -245,7 +344,7 @@ Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
<!-- AllowWiFi-Description-Begin --> <!-- AllowWiFi-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy has been deprecated. Allow or disallow WiFi connection.
<!-- AllowWiFi-Description-End --> <!-- AllowWiFi-Description-End -->
<!-- AllowWiFi-Editable-Begin --> <!-- AllowWiFi-Editable-Begin -->

4
windows/client-management/mdm/reboot-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Reboot CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -194,7 +194,7 @@ Value in ISO8601, both the date and time are required. A reboot will be schedule
<!-- Device-Schedule-WeeklyRecurrent-Applicability-Begin --> <!-- Device-Schedule-WeeklyRecurrent-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | | :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-Schedule-WeeklyRecurrent-Applicability-End --> <!-- Device-Schedule-WeeklyRecurrent-Applicability-End -->
<!-- Device-Schedule-WeeklyRecurrent-OmaUri-Begin --> <!-- Device-Schedule-WeeklyRecurrent-OmaUri-Begin -->

6
windows/client-management/mdm/reboot-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/23/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -170,6 +170,10 @@ The following XML file contains the device description framework (DDF) for the R
<DFType> <DFType>
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22621</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None"> <MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>

345
windows/client-management/mdm/windowslicensing-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the WindowsLicensing CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/28/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -28,12 +28,10 @@ The following list shows the WindowsLicensing configuration service provider nod
- [ChangeProductKey](#changeproductkey) - [ChangeProductKey](#changeproductkey)
- [CheckApplicability](#checkapplicability) - [CheckApplicability](#checkapplicability)
- [DeviceLicensingService](#devicelicensingservice) - [DeviceLicensingService](#devicelicensingservice)
- [AcquireDeviceLicense](#devicelicensingserviceacquiredevicelicense)
- [DeviceLicensingLastError](#devicelicensingservicedevicelicensinglasterror) - [DeviceLicensingLastError](#devicelicensingservicedevicelicensinglasterror)
- [DeviceLicensingLastErrorDescription](#devicelicensingservicedevicelicensinglasterrordescription) - [DeviceLicensingLastErrorDescription](#devicelicensingservicedevicelicensinglasterrordescription)
- [DeviceLicensingStatus](#devicelicensingservicedevicelicensingstatus) - [DeviceLicensingStatus](#devicelicensingservicedevicelicensingstatus)
- [LicenseType](#devicelicensingservicelicensetype) - [LicenseType](#devicelicensingservicelicensetype)
- [RemoveDeviceLicense](#devicelicensingserviceremovedevicelicense)
- [Edition](#edition) - [Edition](#edition)
- [LicenseKeyType](#licensekeytype) - [LicenseKeyType](#licensekeytype)
- [SMode](#smode) - [SMode](#smode)
@ -45,6 +43,12 @@ The following list shows the WindowsLicensing configuration service provider nod
- [{SubscriptionId}](#subscriptionssubscriptionid) - [{SubscriptionId}](#subscriptionssubscriptionid)
- [Name](#subscriptionssubscriptionidname) - [Name](#subscriptionssubscriptionidname)
- [Status](#subscriptionssubscriptionidstatus) - [Status](#subscriptionssubscriptionidstatus)
- [DisableSubscription](#subscriptionsdisablesubscription)
- [RemoveSubscription](#subscriptionsremovesubscription)
- [SubscriptionLastError](#subscriptionssubscriptionlasterror)
- [SubscriptionLastErrorDescription](#subscriptionssubscriptionlasterrordescription)
- [SubscriptionStatus](#subscriptionssubscriptionstatus)
- [SubscriptionType](#subscriptionssubscriptiontype)
- [UpgradeEditionWithLicense](#upgradeeditionwithlicense) - [UpgradeEditionWithLicense](#upgradeeditionwithlicense)
- [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) - [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey)
<!-- WindowsLicensing-Tree-End --> <!-- WindowsLicensing-Tree-End -->
@ -167,7 +171,8 @@ Returns TRUE if the entered product key can be used for an edition upgrade of Wi
<!-- Device-DeviceLicensingService-OmaUri-End --> <!-- Device-DeviceLicensingService-OmaUri-End -->
<!-- Device-DeviceLicensingService-Description-Begin --> <!-- Device-DeviceLicensingService-Description-Begin -->
<!-- Description-Source-Not-Found --> <!-- Description-Source-DDF -->
Device Based Subscription.
<!-- Device-DeviceLicensingService-Description-End --> <!-- Device-DeviceLicensingService-Description-End -->
<!-- Device-DeviceLicensingService-Editable-Begin --> <!-- Device-DeviceLicensingService-Editable-Begin -->
@ -189,45 +194,6 @@ Returns TRUE if the entered product key can be used for an edition upgrade of Wi
<!-- Device-DeviceLicensingService-End --> <!-- Device-DeviceLicensingService-End -->
<!-- Device-DeviceLicensingService-AcquireDeviceLicense-Begin -->
### DeviceLicensingService/AcquireDeviceLicense
<!-- Device-DeviceLicensingService-AcquireDeviceLicense-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-DeviceLicensingService-AcquireDeviceLicense-Applicability-End -->
<!-- Device-DeviceLicensingService-AcquireDeviceLicense-OmaUri-Begin -->
```Device
./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/AcquireDeviceLicense
```
<!-- Device-DeviceLicensingService-AcquireDeviceLicense-OmaUri-End -->
<!-- Device-DeviceLicensingService-AcquireDeviceLicense-Description-Begin -->
<!-- Description-Source-DDF -->
Acquire and Refresh Device License. Does not reboot.
<!-- Device-DeviceLicensingService-AcquireDeviceLicense-Description-End -->
<!-- Device-DeviceLicensingService-AcquireDeviceLicense-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-DeviceLicensingService-AcquireDeviceLicense-Editable-End -->
<!-- Device-DeviceLicensingService-AcquireDeviceLicense-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | null |
| Access Type | Exec |
<!-- Device-DeviceLicensingService-AcquireDeviceLicense-DFProperties-End -->
<!-- Device-DeviceLicensingService-AcquireDeviceLicense-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-DeviceLicensingService-AcquireDeviceLicense-Examples-End -->
<!-- Device-DeviceLicensingService-AcquireDeviceLicense-End -->
<!-- Device-DeviceLicensingService-DeviceLicensingLastError-Begin --> <!-- Device-DeviceLicensingService-DeviceLicensingLastError-Begin -->
### DeviceLicensingService/DeviceLicensingLastError ### DeviceLicensingService/DeviceLicensingLastError
@ -375,7 +341,7 @@ License Type: User Based Subscription or Device Based Subscription.
| Property name | Property value | | Property name | Property value |
|:--|:--| |:--|:--|
| Format | int | | Format | int |
| Access Type | Add, Delete, Get, Replace | | Access Type | Get, Replace |
<!-- Device-DeviceLicensingService-LicenseType-DFProperties-End --> <!-- Device-DeviceLicensingService-LicenseType-DFProperties-End -->
<!-- Device-DeviceLicensingService-LicenseType-AllowedValues-Begin --> <!-- Device-DeviceLicensingService-LicenseType-AllowedValues-Begin -->
@ -393,45 +359,6 @@ License Type: User Based Subscription or Device Based Subscription.
<!-- Device-DeviceLicensingService-LicenseType-End --> <!-- Device-DeviceLicensingService-LicenseType-End -->
<!-- Device-DeviceLicensingService-RemoveDeviceLicense-Begin -->
### DeviceLicensingService/RemoveDeviceLicense
<!-- Device-DeviceLicensingService-RemoveDeviceLicense-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-DeviceLicensingService-RemoveDeviceLicense-Applicability-End -->
<!-- Device-DeviceLicensingService-RemoveDeviceLicense-OmaUri-Begin -->
```Device
./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/RemoveDeviceLicense
```
<!-- Device-DeviceLicensingService-RemoveDeviceLicense-OmaUri-End -->
<!-- Device-DeviceLicensingService-RemoveDeviceLicense-Description-Begin -->
<!-- Description-Source-DDF -->
Remove Device License. Device would be ready for user based license after this operation. Does not reboot.
<!-- Device-DeviceLicensingService-RemoveDeviceLicense-Description-End -->
<!-- Device-DeviceLicensingService-RemoveDeviceLicense-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-DeviceLicensingService-RemoveDeviceLicense-Editable-End -->
<!-- Device-DeviceLicensingService-RemoveDeviceLicense-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | null |
| Access Type | Exec |
<!-- Device-DeviceLicensingService-RemoveDeviceLicense-DFProperties-End -->
<!-- Device-DeviceLicensingService-RemoveDeviceLicense-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-DeviceLicensingService-RemoveDeviceLicense-Examples-End -->
<!-- Device-DeviceLicensingService-RemoveDeviceLicense-End -->
<!-- Device-Edition-Begin --> <!-- Device-Edition-Begin -->
## Edition ## Edition
@ -1064,6 +991,258 @@ Returns the status of the subscription.
<!-- Device-Subscriptions-{SubscriptionId}-Status-End --> <!-- Device-Subscriptions-{SubscriptionId}-Status-End -->
<!-- Device-Subscriptions-DisableSubscription-Begin -->
### Subscriptions/DisableSubscription
<!-- Device-Subscriptions-DisableSubscription-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Subscriptions-DisableSubscription-Applicability-End -->
<!-- Device-Subscriptions-DisableSubscription-OmaUri-Begin -->
```Device
./Vendor/MSFT/WindowsLicensing/Subscriptions/DisableSubscription
```
<!-- Device-Subscriptions-DisableSubscription-OmaUri-End -->
<!-- Device-Subscriptions-DisableSubscription-Description-Begin -->
<!-- Description-Source-DDF -->
Disable or Enable subscription activation on a device.
<!-- Device-Subscriptions-DisableSubscription-Description-End -->
<!-- Device-Subscriptions-DisableSubscription-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Subscriptions-DisableSubscription-Editable-End -->
<!-- Device-Subscriptions-DisableSubscription-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Replace |
<!-- Device-Subscriptions-DisableSubscription-DFProperties-End -->
<!-- Device-Subscriptions-DisableSubscription-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Enable Subscription. |
| 1 | Disable Subscription. It also removes any existing subscription on the device. |
<!-- Device-Subscriptions-DisableSubscription-AllowedValues-End -->
<!-- Device-Subscriptions-DisableSubscription-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Subscriptions-DisableSubscription-Examples-End -->
<!-- Device-Subscriptions-DisableSubscription-End -->
<!-- Device-Subscriptions-RemoveSubscription-Begin -->
### Subscriptions/RemoveSubscription
<!-- Device-Subscriptions-RemoveSubscription-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Subscriptions-RemoveSubscription-Applicability-End -->
<!-- Device-Subscriptions-RemoveSubscription-OmaUri-Begin -->
```Device
./Vendor/MSFT/WindowsLicensing/Subscriptions/RemoveSubscription
```
<!-- Device-Subscriptions-RemoveSubscription-OmaUri-End -->
<!-- Device-Subscriptions-RemoveSubscription-Description-Begin -->
<!-- Description-Source-DDF -->
Remove subscription uninstall subscription license. It also reset subscription type to User Based Subscription.
<!-- Device-Subscriptions-RemoveSubscription-Description-End -->
<!-- Device-Subscriptions-RemoveSubscription-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Subscriptions-RemoveSubscription-Editable-End -->
<!-- Device-Subscriptions-RemoveSubscription-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | null |
| Access Type | Exec |
<!-- Device-Subscriptions-RemoveSubscription-DFProperties-End -->
<!-- Device-Subscriptions-RemoveSubscription-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Subscriptions-RemoveSubscription-Examples-End -->
<!-- Device-Subscriptions-RemoveSubscription-End -->
<!-- Device-Subscriptions-SubscriptionLastError-Begin -->
### Subscriptions/SubscriptionLastError
<!-- Device-Subscriptions-SubscriptionLastError-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Subscriptions-SubscriptionLastError-Applicability-End -->
<!-- Device-Subscriptions-SubscriptionLastError-OmaUri-Begin -->
```Device
./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionLastError
```
<!-- Device-Subscriptions-SubscriptionLastError-OmaUri-End -->
<!-- Device-Subscriptions-SubscriptionLastError-Description-Begin -->
<!-- Description-Source-DDF -->
Error code of last subscription operation. Value would be empty(0) in absence of error.
<!-- Device-Subscriptions-SubscriptionLastError-Description-End -->
<!-- Device-Subscriptions-SubscriptionLastError-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Subscriptions-SubscriptionLastError-Editable-End -->
<!-- Device-Subscriptions-SubscriptionLastError-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Get |
<!-- Device-Subscriptions-SubscriptionLastError-DFProperties-End -->
<!-- Device-Subscriptions-SubscriptionLastError-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Subscriptions-SubscriptionLastError-Examples-End -->
<!-- Device-Subscriptions-SubscriptionLastError-End -->
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-Begin -->
### Subscriptions/SubscriptionLastErrorDescription
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-Applicability-End -->
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-OmaUri-Begin -->
```Device
./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionLastErrorDescription
```
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-OmaUri-End -->
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-Description-Begin -->
<!-- Description-Source-DDF -->
Error description of last subscription operation. Value would be empty, if error description cannot be evaluated.
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-Description-End -->
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-Editable-End -->
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Get |
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-DFProperties-End -->
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-Examples-End -->
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-End -->
<!-- Device-Subscriptions-SubscriptionStatus-Begin -->
### Subscriptions/SubscriptionStatus
<!-- Device-Subscriptions-SubscriptionStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Subscriptions-SubscriptionStatus-Applicability-End -->
<!-- Device-Subscriptions-SubscriptionStatus-OmaUri-Begin -->
```Device
./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionStatus
```
<!-- Device-Subscriptions-SubscriptionStatus-OmaUri-End -->
<!-- Device-Subscriptions-SubscriptionStatus-Description-Begin -->
<!-- Description-Source-DDF -->
Status of last subscription operation.
<!-- Device-Subscriptions-SubscriptionStatus-Description-End -->
<!-- Device-Subscriptions-SubscriptionStatus-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Subscriptions-SubscriptionStatus-Editable-End -->
<!-- Device-Subscriptions-SubscriptionStatus-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Get |
<!-- Device-Subscriptions-SubscriptionStatus-DFProperties-End -->
<!-- Device-Subscriptions-SubscriptionStatus-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Subscriptions-SubscriptionStatus-Examples-End -->
<!-- Device-Subscriptions-SubscriptionStatus-End -->
<!-- Device-Subscriptions-SubscriptionType-Begin -->
### Subscriptions/SubscriptionType
<!-- Device-Subscriptions-SubscriptionType-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Subscriptions-SubscriptionType-Applicability-End -->
<!-- Device-Subscriptions-SubscriptionType-OmaUri-Begin -->
```Device
./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionType
```
<!-- Device-Subscriptions-SubscriptionType-OmaUri-End -->
<!-- Device-Subscriptions-SubscriptionType-Description-Begin -->
<!-- Description-Source-DDF -->
Set device to Device Based Subscription or User Based Subscription. For Device Based Subscription this action will automatically acquire the subscription on the device. For User Based Subscription the existing process of user logon will be required.
<!-- Device-Subscriptions-SubscriptionType-Description-End -->
<!-- Device-Subscriptions-SubscriptionType-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Subscriptions-SubscriptionType-Editable-End -->
<!-- Device-Subscriptions-SubscriptionType-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Get, Replace |
<!-- Device-Subscriptions-SubscriptionType-DFProperties-End -->
<!-- Device-Subscriptions-SubscriptionType-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | User Based Subscription. |
| 1 | Device Based Subscription. |
<!-- Device-Subscriptions-SubscriptionType-AllowedValues-End -->
<!-- Device-Subscriptions-SubscriptionType-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Subscriptions-SubscriptionType-Examples-End -->
<!-- Device-Subscriptions-SubscriptionType-End -->
<!-- Device-UpgradeEditionWithLicense-Begin --> <!-- Device-UpgradeEditionWithLicense-Begin -->
## UpgradeEditionWithLicense ## UpgradeEditionWithLicense

195
windows/client-management/mdm/windowslicensing-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/17/2023 ms.date: 05/01/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -322,6 +322,153 @@ The following XML file contains the device description framework (DDF) for the W
</DFProperties> </DFProperties>
</Node> </Node>
</Node> </Node>
<Node>
<NodeName>SubscriptionType</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>Set device to Device Based Subscription or User Based Subscription. For Device Based Subscription this action will automatically acquire the subscription on the device. For User Based Subscription the existing process of user logon will be required.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>User Based Subscription</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Device Based Subscription</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>SubscriptionStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Status of last subscription operation.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SubscriptionLastError</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Error code of last subscription operation. Value would be empty(0) in absence of error.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SubscriptionLastErrorDescription</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Error description of last subscription operation. Value would be empty, if error description cannot be evaluated.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DisableSubscription</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<Description>Disable or Enable subscription activation on a device</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Enable Subscription</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Disable Subscription. It also removes any existing subscription on the device.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>RemoveSubscription</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<Description>Remove subscription uninstall subscription license. It also reset subscription type to User Based Subscription.</Description>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
</Node> </Node>
<Node> <Node>
<NodeName>SMode</NodeName> <NodeName>SMode</NodeName>
@ -439,7 +586,7 @@ The following XML file contains the device description framework (DDF) for the W
<AccessType> <AccessType>
<Get /> <Get />
</AccessType> </AccessType>
<Description>Insert Description Here</Description> <Description>Device Based Subscription</Description>
<DFFormat> <DFFormat>
<node /> <node />
</DFFormat> </DFFormat>
@ -461,8 +608,6 @@ The following XML file contains the device description framework (DDF) for the W
<NodeName>LicenseType</NodeName> <NodeName>LicenseType</NodeName>
<DFProperties> <DFProperties>
<AccessType> <AccessType>
<Add />
<Delete />
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
@ -554,48 +699,6 @@ The following XML file contains the device description framework (DDF) for the W
</DFType> </DFType>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>AcquireDeviceLicense</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<Description>Acquire and Refresh Device License. Does not reboot.</Description>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RemoveDeviceLicense</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<Description>Remove Device License. Device would be ready for user based license after this operation. Does not reboot.</Description>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
</Node> </Node>
</Node> </Node>
</MgmtTree> </MgmtTree>