@@ -412,76 +412,73 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
>
-> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
->
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
-Allows IT Admins to specify additional upgrade delays for up to eight months.
+Allows IT Admins to enter more upgrade delays for up to eight months.
-
Supported values are 0-8, which refers to the number of months to defer upgrades.
+Supported values are 0-8, which refers to the number of months to defer upgrades.
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
-
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
**Update/EngagedRestartDeadline**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
+Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, then the restart won't be automatically executed. It will remain Engaged restart (pending user scheduling).
-
Supported values are 2-30 days.
+Supported values are 2-30 days.
-
The default value is 0 days (not specified).
+The default value is 0 days (not specified).
**Update/EngagedRestartSnoozeSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
+Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
-
Supported values are 1-3 days.
+Supported values are 1-3 days.
-
The default value is three days.
+The default value is three days.
**Update/EngagedRestartTransitionSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
+Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
-
Supported values are 2-30 days.
+Supported values are 2-30 days.
-
The default value is seven days.
+The default value is seven days.
**Update/ExcludeWUDriversInQualityUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
+Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) – Allow Windows Update drivers.
- 1 – Exclude Windows Update drivers.
**Update/IgnoreMOAppDownloadLimit**
-
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 (default) – Do not ignore MO download limit for apps and their updates.
+- 0 (default) – Don't ignore MO download limit for apps and their updates.
- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates.
-
To validate this policy:
+To validate this policy:
1. Enable the policy ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
@@ -493,20 +490,20 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
**Update/IgnoreMOUpdateDownloadLimit**
-
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 (default) – Do not ignore MO download limit for OS updates.
+- 0 (default) – Don't ignore MO download limit for OS updates.
- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates.
-
To validate this policy:
+To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
-2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
+2. Run the scheduled task on the devices to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused.
@@ -519,26 +516,26 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
-
Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
+Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 (default) – Deferrals are not paused.
+- 0 (default) – Deferrals aren't paused.
- 1 – Deferrals are paused.
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
-
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
**Update/PauseFeatureUpdates**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-
Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
+Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 (default) – Feature Updates are not paused.
+- 0 (default) – Feature Updates aren't paused.
- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
**Update/PauseQualityUpdates**
@@ -546,11 +543,11 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
+Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 (default) – Quality Updates are not paused.
+- 0 (default) – Quality Updates aren't paused.
- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
**Update/RequireDeferUpgrade**
@@ -560,9 +557,9 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
-
Allows the IT admin to set a device to CBB train.
+Allows the IT admin to set a device to CBB train.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) – User gets upgrades from Current Branch.
- 1 – User gets upgrades from Current Branch for Business.
@@ -578,38 +575,38 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
-
Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
+Allows the IT admin to restrict the updates that are installed on a device to only the updates on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update for the end user. EULAs are approved once an update is approved.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 – Not configured. The device installs all applicable updates.
-- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
+- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required before deployment.
**Update/ScheduleImminentRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
-
Supported values are 15, 30, or 60 (minutes).
+Supported values are 15, 30, or 60 (minutes).
-
The default value is 15 (minutes).
+The default value is 15 (minutes).
**Update/ScheduledInstallDay**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Enables the IT admin to schedule the day of the update installation.
+Enables the IT admin to schedule the day of the update installation.
-
The data type is a string.
+The data type is a string.
-
Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) – Every day
- 1 – Sunday
@@ -625,35 +622,35 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Enables the IT admin to schedule the time of the update installation.
+Enables the IT admin to schedule the time of the update installation.
-
The data type is a string.
+The data type is a string.
-
Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
-
Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
+Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
-
The default value is 3.
+The default value is 3.
**Update/ScheduleRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
-
Supported values are 2, 4, 8, 12, or 24 (hours).
+Supported values are 2, 4, 8, 12, or 24 (hours).
-
The default value is 4 (hours).
+The default value is 4 (hours).
**Update/SetAutoRestartNotificationDisable**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
+Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) – Enabled
- 1 – Disabled
@@ -663,13 +660,13 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
> [!Important]
-> Starting in Windows 10, version 1703 this policy is not supported in IoT Enterprise.
+> Starting in Windows 10, version 1703 this policy isn't supported in IoT Enterprise.
-
Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
+Allows the device to check for updates from a WSUS server instead of Microsoft Update. Using WSUS is useful for on-premises MDMs that need to update devices that can't connect to the Internet.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
The following list shows the supported values:
+The following list shows the supported values:
- Not configured. The device checks for updates from Microsoft Update.
- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
@@ -677,41 +674,42 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
Example
```xml
-
- $CmdID$
- -
-
- chr
- text/plain
-
-
- ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl
-
- http://abcd-srv:8530
-
-
+
+ $CmdID$
+ -
+
+ chr
+ text/plain
+
+
+ ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl
+
+ http://abcd-srv:8530
+
+
```
**Update/UpdateServiceUrlAlternate**
-> **Note** This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
+Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
-
This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
+This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
-
To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
+To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
-
Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
+Value type is string and the default value is an empty string. If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, then the Automatic Updates client connects directly to the Windows Update site on the Internet.
> [!Note]
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
-> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.
-> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
+> If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates.
+> This policy isn't supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
### Update management
-The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following shows the Update CSP in tree format.
+The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following information shows the Update CSP in tree format.
```console
./Vendor/MSFT
@@ -750,15 +748,17 @@ The root node.
Supported operation is Get.
**ApprovedUpdates**
-Node for update approvals and EULA acceptance on behalf of the end-user.
+Node for update approvals and EULA acceptance for the end user.
-> **Note** When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
+> [!NOTE]
+> When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
-The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
+The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to present the EULA is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update.
-The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
+The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (updates to the virus and spyware definitions on devices) and Security Updates (product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstall of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs because of changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
-> **Note** For the Windows 10 build, the client may need to reboot after additional updates are added.
+> [!NOTE]
+> For the Windows 10 build, the client may need to reboot after additional updates are added.
@@ -788,7 +788,7 @@ Specifies the approved updates that failed to install on a device.
Supported operation is Get.
**FailedUpdates/***Failed Update Guid*
-Update identifier field of the UpdateIdentity GUID that represent an update that failed to download or install.
+Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install.
Supported operation is Get.
@@ -813,7 +813,7 @@ UpdateIDs that represent the updates installed on a device.
Supported operation is Get.
**InstallableUpdates**
-The updates that are applicable and not yet installed on the device. This includes updates that are not yet approved.
+The updates that are applicable and not yet installed on the device. This information includes updates that aren't yet approved.
Supported operation is Get.
@@ -864,7 +864,7 @@ Supported operation is Get.
## Windows 10, version 1607 for update management
-Here are the new policies added in Windows 10, version 1607 in [Policy CSP](policy-configuration-service-provider.md). You should use these policies for the new Windows 10, version 1607 devices.
+Here are the new policies added in Windows 10, version 1607 in [Policy CSP](policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices.
- Update/ActiveHoursEnd
- Update/ActiveHoursStart
@@ -944,7 +944,7 @@ Here's the list of corresponding Group Policy settings in HKLM\\Software\\Polici
-Here is the list of older policies that are still supported for backward compatibility. You can use these for Windows 10, version 1511 devices.
+Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices.
- Update/RequireDeferUpgrade
- Update/DeferUpgradePeriod
@@ -1011,5 +1011,16 @@ Set auto update to notify and defer.
The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog.
-
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md
index c913b4dff5..48dcb6b5da 100644
--- a/windows/client-management/mdm/devicelock-csp.md
+++ b/windows/client-management/mdm/devicelock-csp.md
@@ -17,7 +17,8 @@ ms.date: 06/26/2017
The DeviceLock configuration service provider is used by the enterprise management server to configure device lock related policies. This configuration service provider is supported by an enterprise management server.
-> **Note** The DeviceLock CSP is supported in Windows 10 Mobile for backward compatibility. For Windows 10 devices you should use [Policy CSP](policy-configuration-service-provider.md) for various device lock settings. You can continue to use DeviceLock CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices. The DeviceLock CSP will be deprecated some time in the future.
+> [!Note]
+> For Windows 10 devices, use [Policy CSP](policy-configuration-service-provider.md) for various device lock settings. You can continue to use DeviceLock CSP for Windows Phone 8.1 GDR devices. The DeviceLock CSP will be deprecated some time in the future.
@@ -30,7 +31,7 @@ The DevicePasswordEnabled setting must be set to 0 (device password is enabled)
- MaxInactivityTimeDeviceLock
- MinDevicePasswordComplexCharacters
-The following shows the DeviceLock configuration service provider in tree format.
+The following information shows the DeviceLock configuration service provider in tree format.
```console
./Vendor/MSFT
@@ -62,18 +63,19 @@ DeviceLock
Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get.
***ProviderID***
-Optional. The node that contains the configured management server's ProviderID. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one *ProviderID* node. Exchange ActiveSync policies set by Exchange are saved by the Sync client separately. Scope is dynamic. The following operations are supported:
+Optional. The node that contains the configured management server's ProviderID. Exchange ActiveSync policies set by Exchange are saved by the Sync client separately. Scope is dynamic. The following operations are supported:
- **Add** - Add the management account to the configuration service provider tree.
- **Delete** - Delete all policies set by this account. This command could be used in enterprise unenrollment for removing policy values set by the enterprise management server.
- **Get** - Return all policies set by the management server.
-> **Note** The value cannot be changed after it is added. The **Replace** command isn't supported.
+> [!NOTE]
+> The value cannot be changed after it's added. The **Replace** command isn't supported.
***ProviderID*/DevicePasswordEnabled**
-Optional. An integer value that specifies whether device lock is enabled. Possible values are one of the following:
+Optional. An integer value that specifies whether device lock is enabled. Possible values include:
- 0 - Device lock is enabled.
- 1 (default) - Device lock not enabled.
@@ -83,7 +85,7 @@ The scope is dynamic.
Supported operations are Get, Add, and Replace.
***ProviderID*/AllowSimpleDevicePassword**
-Optional. An integer value that specifies whether simple passwords, such as "1111" or "1234", are allowed. Possible values for this node are one of the following:
+Optional. An integer value that specifies whether simple passwords, such as "1111" or "1234", are allowed. Possible values include:
- 0 - Not allowed.
- 1 (default) - Allowed.
@@ -100,7 +102,7 @@ Supported operations are Get, Add, and Replace.
***ProviderID*/AlphanumericDevicePasswordRequired**
Optional. An integer value that specifies the complexity of the password or PIN allowed.
-Valid values are one of the following:
+Possible values include:
- 0 - Alphanumeric password required
- 1 - Users can choose a numeric or alphanumeric password
@@ -117,28 +119,28 @@ Deprecated in Windows 10.
Deprecated in Windows 10.
***ProviderID*/MaxDevicePasswordFailedAttempts**
-Optional. An integer value that specifies the number of authentication failures allowed before the device will be wiped. Valid values are 0 to 999. The default value is 0, which indicates the device will not be wiped regardless of the number of authentication failures.
+Optional. An integer value that specifies the number of authentication failures allowed before the device will be wiped. Valid values are 0 to 999. The default value is 0, which indicates the device won't be wiped, whatever the number of authentication failures.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
***ProviderID*/MaxInactivityTimeDeviceLock**
-Optional. An integer value that specifies the amount of time (in minutes) that the device can remain idle before it is password locked. Valid values are 0 to 999. A value of 0 indicates no time-out is specified. In this case, the maximum screen time-out allowed by the UI applies.
+Optional. An integer value that specifies the amount of time (in minutes) that the device can remain idle before it's password locked. Valid values are 0 to 999. A value of 0 indicates no time-out is specified. In this case, the maximum screen time-out allowed by the UI applies.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
***ProviderID*/MinDevicePasswordComplexCharacters**
-Optional. An integer value that specifies the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password. Valid values are 1 to 4 for mobile and 1 to 3 for desktop. The default value is 1.
+Optional. An integer value that specifies the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password. Valid values are 1 to 3 for Windows client. The default value is 1.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
**DeviceValue**
-Required. A permanent node that groups the policy values applied to the device. The server can query this node to discover what policy values are actually applied to the device. The scope is permanent.
+Required. A permanent node that groups the policy values applied to the device. The server can query this node to discover what policy values are applied to the device. The scope is permanent.
Supported operation is Get.
@@ -288,31 +290,21 @@ All node values under the **ProviderID** interior node represent the policy valu
- An **Add** or **Replace** command on those nodes returns success in the following cases:
- - The value is actually applied to the device.
+ - The value is applied to the device.
- The value isn't applied to the device because the device has a more secure value set already.
- From a security perspective, the device complies with the policy request that is at least as secure as the one requested.
+ From a security perspective, the device complies with the policy request that's at least as secure as the one requested.
- A **Get** command on those nodes returns the value the server pushes down to the device.
- If a **Replace** command fails, the node value is set back to the value that was to be replaced.
-- If an **Add** command fails, the node is not created.
+- If an **Add** command fails, the node isn't created.
The value applied to the device can be queried via the nodes under the **DeviceValue** interior node.
-## Related topics
+## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 7700e96c04..1a4f36b9b6 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -15,10 +15,11 @@ ms.date: 11/01/2017
# DMClient CSP
-The DMClient configuration service provider (CSP) is used to specify additional enterprise-specific mobile device management (MDM) configuration settings for identifying the device in the enterprise domain, for security mitigation for certificate renewal, and for server-triggered enterprise unenrollment.
+The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment.
-The following shows the DMClient CSP in tree format.
-```
+The following information shows the DMClient CSP in tree format.
+
+```console
./Vendor/MSFT
DMClient
----Provider
@@ -72,7 +73,7 @@ All the nodes in this CSP are supported in the device context, except for the **
Root node for the CSP.
**UpdateManagementServiceAddress**
-For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
+For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You can't add new servers to the list using this node.
**HWDevID**
Added in Windows 10, version 1703. Returns the hardware device ID.
@@ -85,28 +86,31 @@ Required. The root node for all settings that belong to a single management serv
Supported operation is Get.
**Provider/***ProviderID*
-Required. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn’t require XML/URI escaping.
+Required. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM provider. As a best practice, use text that doesn’t require XML/URI escaping.
Supported operations are Get and Add.
**Provider/*ProviderID*/EntDeviceName**
-Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
+Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
**Provider/*ProviderID*/EntDMID**
-Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
+Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
> [!NOTE]
-> Although hardware device IDs are guaranteed to be unique, there is a concern that this is not ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSP’s **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
+> Although hardware device IDs are guaranteed to be unique, there's a concern that this isn't ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSP’s **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
This node is required and must be set by the server before the client certificate renewal is triggered.
**Provider/*ProviderID*/ExchangeID**
-Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. This is useful for the enterprise management server to correlate and merge records for a device that is managed by exchange and natively managed by a dedicated management server.
+Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. The enterprise management server can correlate and merge records for:
+
+- A device that's managed by Exchange.
+- A device that's natively managed by a dedicated management server.
> [!NOTE]
> In some cases for the desktop, this node will return "not found" until the user sets up their email.
@@ -115,7 +119,7 @@ Optional. Character string that contains the unique Exchange device ID used by t
Supported operation is Get.
-The following is a Get command example.
+The following XML is a Get command example:
```xml
@@ -128,13 +132,8 @@ The following is a Get command example.
```
-**Provider/*ProviderID*/PublisherDeviceID**
-(Only for Windows 10 Mobile.) Optional. The PublisherDeviceID is a device-unique ID created based on the enterprise Publisher ID. Publisher ID is created based on the enterprise application token and enterprise ID via ./Vendor/MSFT/EnterpriseAppManagement/<enterprise id>/EnrollmentToken. It is to ensure that for one enterprise, each device has a unique ID associated with it. For the same device, if it has multiple enterprises’ applications, each enterprise is identified differently.
-
-Supported operation is Get.
-
**Provider/*ProviderID*/SignedEntDMID**
-Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the MDM server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally.
+Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the MDM provider to verify client identity to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally.
Supported operation is Get.
@@ -144,57 +143,61 @@ Optional. The time in OMA DM standard time format. This node is designed to redu
Supported operation is Get.
**Provider/*ProviderID*/ManagementServiceAddress**
-Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server to allow the server to load balance to another server in situations where too many devices are connected to the server.
+Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server. It allows the server to load balance to another server when too many devices are connected to the server.
> [!NOTE]
> When the **ManagementServerAddressList** value is set, the device ignores the value.
-The DMClient CSP will save the address to the same location as the w7 and DMS CSPs to ensure the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped via the [w7 APPLICATION configuration service provider](w7-application-csp.md).
+The DMClient CSP will save the address to the same location as the w7 and DMS CSPs. The save ensures the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped using the [w7 APPLICATION configuration service provider](w7-application-csp.md).
-Starting in Windows 10, version 1511, this node supports multiple server addresses in the format <URL1><URL2><URL3>. If there is only a single URL, then the <> are not required. This is supported for both desktop and mobile devices.
+Starting in Windows 10, version 1511, this node supports multiple server addresses in the format <URL1><URL2><URL3>. If there's only a single URL, then the <> aren't required. This feature is supported on Windows client devices.
During a DM session, the device will use the first address on the list and then keep going down the list until a successful connection is achieved. The DM client should cache the successfully connected server URL for the next session.
Supported operations are Add, Get, and Replace.
**Provider/*ProviderID*/UPN**
-Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This is useful in scenarios where the user email address changes in the identity system, or in the scenario where the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
+Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This information is useful when the user email address changes in the identity system. Or, when the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
Supported operations are Get and Replace.
**Provider/*ProviderID*/HelpPhoneNumber**
-Optional. The character string that allows the user experience to include a customized help phone number that the end user will be able to view and use if they need help or support.
+Optional. The character string that allows the user experience to include a customized help phone number. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete.
**Provider/*ProviderID*/HelpWebsite**
-Optional. The character string that allows the user experience to include a customized help website that the end user will be able to view and use if they need help or support.
+Optional. The character string that allows the user experience to include a customized help website. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete
**Provider/*ProviderID*/HelpEmailAddress**
-Optional. The character string that allows the user experience to include a customized help email address that the end user will be able to view and use if they need help or support.
+Optional. The character string that allows the user experience to include a customized help email address. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete.
**Provider/*ProviderID*/RequireMessageSigning**
-Boolean type. Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included as part of the authenticated attributes in the signature.
+Boolean type. Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included in the authenticated attributes in the signature.
-Default value is false, where the device management client does not include authentication information in the management session HTTP header. Optionally set to true, where the client authentication information is provided in the management session HTTP header.
+Default value is false, where the device management client doesn't include authentication information in the management session HTTP header. Optionally set to true, where the client authentication information is provided in the management session HTTP header.
-When enabled, the MDM server should validate the signature and the timestamp using the device identify certificate enrolled as part of MS-MDE, ensure the certificate and time are valid, and verify that the signature is trusted by the MDM server.
+When enabled, the MDM provider should:
+
+- Validate the signature and the timestamp using the device identify certificate enrolled as part of Mobile Device Enrollment protocol (MS-MDE).
+- Ensure the certificate and time are valid.
+- Verify that the signature is trusted by the MDM provider.
Supported operations are Get, Replace, and Delete.
**Provider/*ProviderID*/SyncApplicationVersion**
-Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there is a client behavior change between 1.0 and 2.0.
+Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there's a client behavior change between 1.0 and 2.0.
> [!NOTE]
> This node is only supported in Windows 10 and later.
-Once you set the value to 2.0, it will not go back to 1.0.
+Once you set the value to 2.0, it won't go back to 1.0.
@@ -208,18 +211,18 @@ When you query this node, a Windows 10 client will return 2.0 and a Windows 8.
Supported operation is Get.
**Provider/*ProviderID*/AADResourceID**
-Optional. This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
+Optional. This ResourceID is used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you're trying to access.
For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
**Provider/*ProviderID*/EnableOmaDmKeepAliveMessage**
Added in Windows 10, version 1511. A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow.
-When the server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending.
+When the server sends a configuration request, the client can take longer than the HTTP timeout to get all information together. The session might end unexpectedly because of the timeout. By default, the MDM client doesn't send an alert that a DM request is pending.
-To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information.
+To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. Send a SyncML message with a specific device alert element in the body until the client can respond back to the server with the requested information.
-Here is an example of DM message sent by the device when it is in pending state:
+Here's an example of DM message sent by the device when it's in pending state:
```xml
@@ -266,12 +269,12 @@ Added in Windows 10, version 1607. Returns the hardware device ID.
Supported operation is Get.
**Provider/*ProviderID*/CommercialID**
-Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization.
+Added in Windows 10, version 1607. It configures the identifier that uniquely associates the device's diagnostic data belonging to the organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization, then use this setting to provide that identification. The value for this setting is provided by Microsoft in the onboarding process for the program. If you disable or don't configure this policy setting, then Microsoft can't use this identifier to associate this machine and its diagnostic data with your organization.
Supported operations are Add, Get, Replace, and Delete.
**Provider/*ProviderID*/ManagementServerAddressList**
-Added in Windows 10, version 1607. The list of management server URLs in the format <URL1><URL2><URL3>, and so on. If there is only one, the angle brackets (<>) are not required.
+Added in Windows 10, version 1607. The list of management server URLs in the format <URL1><URL2><URL3>, and so on. If there's only one, the angle brackets (<>) aren't required.
> [!NOTE]
> The < and > should be escaped.
@@ -294,12 +297,12 @@ Added in Windows 10, version 1607. The list of management server URLs in the fo
If ManagementServerAddressList node is set, the device will only use the server URL configured in this node and ignore the ManagementServiceAddress value.
-When the server is not responding after a specified number of retries, the device tries to use the next server URL in the list until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first on in the list.
+When the server isn't responding after a specified number of retries, the device tries to use the next server URL in the list. It keeps trying until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first one in the list.
Supported operations are Get and Replace. Value type is string.
**Provider/*ProviderID*/ManagementServerToUpgradeTo**
-Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM server to upgrade to for a Mobile Application Management (MAM) enrolled device.
+Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM provider to upgrade to for a Mobile Application Management (MAM) enrolled device.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
@@ -310,18 +313,18 @@ Supported operations are Add, Delete, Get, and Replace. Value type is integer.
**Provider/*ProviderID*/AADSendDeviceToken**
-Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained.
+Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this feature will cause the client to send a Device Token if the User Token can't be obtained.
Supported operations are Add, Delete, Get, and Replace. Value type is bool.
**Provider/*ProviderID*/Poll**
-Optional. Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
+Optional. Polling schedules must use the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
Supported operations are Get and Add.
-There are three schedules managed under the Poll node which enable a rich polling schedule experience to provide greater flexibility in managing the way in which devices poll the management server. There are a variety of ways in which polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules in order to restore the polling schedules back to a valid configuration.
+There are three schedules managed under the Poll node. They enable a rich polling schedule experience to provide greater flexibility in managing the way devices poll the management server. There are various ways that polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules to restore the polling schedules back to a valid configuration.
-If there is no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window.
+If there's no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window.
**Valid poll schedule: sigmoid polling schedule with infinite schedule (Recommended).**
@@ -540,65 +543,65 @@ If there is no infinite schedule set, then a 24-hour schedule is created and sch
-If the device was previously enrolled in MDM with polling schedule configured via registry key values directly, the MDM server that supports using DMClient CSP to update polling schedule must first send an Add command to add a **./Vendor/MSFT/DMClient/Enrollment/<ProviderID>/Poll** node before it sends a Get/Replace command to query or update polling parameters via DMClient CSP
+If the device was previously enrolled in MDM with polling schedule configured using the registry key values directly, the MDM provider that supports using DMClient CSP to update polling schedule must first send an Add command to add a **./Vendor/MSFT/DMClient/Enrollment/<ProviderID>/Poll** node before it sends a Get/Replace command to query or update polling parameters using the DMClient CSP
-When using the DMClient CSP to configure polling schedule parameters, the server must not set all six polling parameters to 0, or set all 3 number of retry nodes to 0 because it will cause a configuration failure.
+When using the DMClient CSP to configure polling schedule parameters, the server must not set all six polling parameters to 0, or set all three number of retry nodes to 0. It will cause a configuration failure.
**Provider/*ProviderID*/Poll/IntervalForFirstSetOfRetries**
-Optional. The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /<ProviderID>/Poll/NumberOfFirstRetries. If IntervalForFirstSetOfRetries is not set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.
+Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `//Poll/NumberOfFirstRetries`. If IntervalForFirstSetOfRetries isn't set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.
Supported operations are Get and Replace.
-The IntervalForFirstSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxRetryInterval path that previously utilized the Registry CSP.
+The IntervalForFirstSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxRetryInterval path that previously used the Registry CSP.
**Provider/*ProviderID*/Poll/NumberOfFirstRetries**
-Optional. The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value is not 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule will not set in this case. The default value is 10.
+Optional. The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value isn't 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule won't set in this case. The default value is 10.
Supported operations are Get and Replace.
-The NumberOfFirstRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxNumRetries path that previously utilized the Registry CSP.
+The NumberOfFirstRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxNumRetries path that previously used the Registry CSP.
-The first set of retries is intended to give the management server some buffered time to be ready to send policies and settings configuration to the device. The total time for first set of retries should not be more than a few hours. The server should not set NumberOfFirstRetries to be 0. RemainingScheduledRetries is used for the long run device polling schedule.
+The first set of retries gives the management server some buffered time to be ready to send policy and setting configurations to the device. The total time for first set of retries shouldn't be more than a few hours. The server shouldn't set NumberOfFirstRetries to 0. RemainingScheduledRetries is used for the long run device polling schedule.
**Provider/*ProviderID*/Poll/IntervalForSecondSetOfRetries**
-Optional. The waiting time (in minutes) for the second set of retries as specified by the number of retries in /<ProviderID>/Poll/NumberOfSecondRetries. Default value is 0. If this value is set to zero, then this schedule is disabled.
+Optional. The waiting time (in minutes) for the second set of retries, which is the number of retries in `//Poll/NumberOfSecondRetries`. Default value is 0. If this value is set to zero, then this schedule is disabled.
Supported operations are Get and Replace.
-The IntervalForSecondSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\RetryInterval path that previously utilized the Registry CSP.
+The IntervalForSecondSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\RetryInterval path that previously used the Registry CSP.
**Provider/*ProviderID*/Poll/NumberOfSecondRetries**
-Optional. The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries is not set to 0 AND the first set of retries is not set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled.
+Optional. The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries isn't set to 0 AND the first set of retries isn't set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled.
Supported operations are Get and Replace.
-The NumberOfSecondRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\NumRetries path that previously utilized the Registry CSP.
+The NumberOfSecondRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\NumRetries path that previously used the Registry CSP.
The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule.
**Provider/*ProviderID*/Poll/IntervalForRemainingScheduledRetries**
-Optional. The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /<ProviderID>/Poll/NumberOfRemainingScheduledRetries. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.
+Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `//Poll/NumberOfRemainingScheduledRetries`. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.
Supported operations are Get and Replace.
-The IntervalForRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2RetryInterval path that previously utilized the Registry CSP.
+The IntervalForRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2RetryInterval path that previously used the Registry CSP.
**Provider/*ProviderID*/Poll/NumberOfRemainingScheduledRetries**
-Optional. The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries are not set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled.
+Optional. The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries aren't set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled.
Supported operations are Get and Replace.
-The NumberOfRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2NumRetries path that previously utilized the Registry CSP.
+The NumberOfRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2NumRetries path that previously used the Registry CSP.
-The RemainingScheduledRetries is used for the long run device polling schedule. IntervalForRemainingScheduledRetries should not be set smaller than 1440 minutes (24 hours) in Windows Phone 8.1 device. Windows Phone 8.1 supports MDM server push.
+The RemainingScheduledRetries is used for the long run device polling schedule.
**Provider/*ProviderID*/Poll/PollOnLogin**
-Optional. Boolean value that allows the IT admin to require the device to start a management session on any user login, regardless of if the user has preciously logged in. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
+Optional. Boolean value that allows the IT admin to require the device to start a management session on any user login, even if the user has previously logged in. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Supported operations are Add, Get, and Replace.
**Provider/*ProviderID*/Poll/AllUsersPollOnFirstLogin**
-Optional. Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system; subsequent logins will not trigger an MDM session. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
+Optional. Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system. Later sign-ins won't trigger an MDM session. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Supported operations are Add, Get, and Replace.
@@ -609,7 +612,7 @@ Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, p
Default = Locked
> [!Note]
->If the device is not a Secured-core PC, then this feature will not work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
+>If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
**Provider/*ProviderID*/ConfigLock/Lock**
@@ -635,12 +638,12 @@ Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions
Supported operations are Add and Delete.
**Provider/*ProviderID*/Push/PFN**
-Required. A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it is managing.
+Required. A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it's managing.
Supported operations are Add, Get, and Replace.
**Provider/*ProviderID*/Push/ChannelURI**
-Required. A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null.
+Required. A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device, based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null.
Supported operation is Get.
@@ -720,12 +723,12 @@ Optional. Added in Windows 10, version 1703. Specifies the body text of the all
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkHref**
-Optional. Added in Windows 10, version 1703. Specifies the URL that is shown at the end of the MDM enrollment flow.
+Optional. Added in Windows 10, version 1703. Specifies the URL that's shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkText**
-Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that is shown at the end of the MDM enrollment flow.
+Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that's shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
@@ -733,39 +736,39 @@ Supported operations are Add, Delete, Get, and Replace. Value type is string.
Optional node. Added in Windows 10, version 1709.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedPolicies**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to configure, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to provision, delimited by the character L"\xF000".
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to configure, delimited by the character L"\xF000".
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We will not verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedModernAppPackages**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. For example,
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example,
``` syntax
./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000"
./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2
```
-This represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
+This syntax represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedPFXCerts**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedSCEPCerts**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
@@ -775,42 +778,42 @@ Required. Added in Windows 10, version 1709. This node determines how long we wi
Supported operations are Get and Replace. Value type is integer.
**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning**
-Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
+Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished configuring the device. It was added so that the server can “change its mind" about what it needs to configure on the device. When this node is set, many other DM Client nodes can't be changed. If this node isn't True, the UX will consider the configuration a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
Supported operations are Get and Replace. Value type is boolean.
**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**
-Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
+Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully configured. `Set` triggers the UX to override whatever state it's in, and tell the user that the device is configured. It can't be set from True to False (it won't change its mind if the sync is done), and it can't be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is boolean.
**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned**
-Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
+Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully configured. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value can't be changed again. The client will change the value of success or failure and update the node. The server can force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is integer.
**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage**
-Required. Device Only. Added in Windows 10, version 1803. This node determines whether or not the MDM progress page is blocking in the Azure AD joined or DJ++ case, as well as which remediation options are available.
+Required. Device Only. Added in Windows 10, version 1803. This node determines if the MDM progress page is blocking in the Azure AD joined or DJ++ case, and which remediation options are available.
Supported operations are Get and Replace. Value type is integer.
**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton**
-Required. Added in Windows 10, version 1803. This node decides whether or not the MDM progress page displays the Collect Logs button.
+Required. Added in Windows 10, version 1803. This node decides if the MDM progress page displays the Collect Logs button.
Supported operations are Get and Replace. Value type is bool.
**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText**
-Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do in case of error.
+Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do if there's an error.
Supported operations are Add, Get, Delete, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage**
-Required. Device only. Added in Windows 10, version 1803. This node decides whether or not the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
+Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
Supported operations are Get and Replace. Value type is bool.
**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage**
-Required. Device only. Added in Windows 10, version 1803. This node decides whether or not the MDM user progress page skips after Azure AD joined or DJ++ after user login.
+Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM user progress page skips after Azure AD joined or DJ++ after user login.
Supported operations are Get and Replace. Value type is bool.
@@ -820,12 +823,12 @@ Required node. Added in Windows 10, version 1709.
Supported operation is Get.
**Provider/*ProviderID*/EnhancedAppLayerSecurity/SecurityMode**
-Required. Added in Windows 10, version 1709. This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
+Required. Added in Windows 10, version 1709. This node specifies how the client will do the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Provider/*ProviderID*/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline**
-Required. Added in Windows 10, version 1709. This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set.
+Required. Added in Windows 10, version 1709. When this node is set, it tells the client to use the certificate even when the client can't check the certificate's revocation status because the device is offline. The default value is set.
Supported operations are Add, Get, Replace, and Delete. Value type is boolean.
@@ -840,13 +843,13 @@ Required. Added in Windows 10, version 1709. The node contains the secondary cer
Supported operations are Add, Get, Replace, and Delete. Value type is string.
**Provider/*ProviderID*/Unenroll**
-Required. The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `- ` element. Scope is permanent.
+Required. The node accepts unenrollment requests using the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `
- ` element. Scope is permanent.
Supported operations are Get and Exec.
-Note that <LocURI>./Vendor/MSFT/DMClient/Unenroll</LocURI> is supported for backward compatibility.
+<LocURI>./Vendor/MSFT/DMClient/Unenroll</LocURI> is supported for backward compatibility.
-The following SyncML shows how to remotely unenroll the device. Note that this command should be inserted in the general DM packages sent from the server to the device.
+The following SyncML shows how to remotely unenroll the device. This command should be inserted in the general DM packages sent from the server to the device.
```xml
@@ -864,17 +867,7 @@ The following SyncML shows how to remotely unenroll the device. Note that this c
```
-## Related topics
+## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
index 1e95f549b9..37ffda5536 100644
--- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
+++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
@@ -25,26 +25,27 @@ ms.date: 06/26/2017
# DMProcessConfigXMLFiltered function
> [!Important]
-> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. Please see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)) for more information about the new process for provisioning connectivity configuration. However, this function is still supported for other OEM uses.
+> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. For more information about the new process for provisioning connectivity configuration, see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)). However, this function is still supported for other OEM uses.
Configures phone settings by using OMA Client Provisioning XML. Use of this function is strictly limited to the following scenarios.
- Adding dynamic credentials for OMA Client Provisioning.
-- Manufacturing test applications. These applications and the supporting drivers must be removed from the phones before they are sold.
+- Manufacturing test applications. These applications and the supporting drivers must be removed from the phones before they're sold.
-Microsoft recommends that this function is not used to configure the following types of settings.
+Microsoft recommends that this function isn't used to configure the following types of settings:
-- Security settings that are configured by using CertificateStore, SecurityPolicy, and RemoteWipe, unless they are related to OMA DM or OMA Client Provisioning security policies.
+- Security settings that are configured using CertificateStore, SecurityPolicy, and RemoteWipe, unless they're related to OMA DM or OMA Client Provisioning security policies
- Non-cellular data connection settings (such as Hotspot settings).
-- File system files and registry settings, unless they are used for OMA DM account management, mobile operator data connection settings, or manufacturing tests.
+- File system files and registry settings, unless they're used for OMA DM account management, mobile operator data connection settings, or manufacturing tests
-- Email settings.
+- Email settings
-> **Note** The **DMProcessConfigXMLFiltered** function has full functionality in Windows 10 Mobile and Windows Phone 8.1, but it has a read-only functionality in Windows 10 desktop.
+> [!Note]
+> The **DMProcessConfigXMLFiltered** function has full functionality in Windows Phone 8.1, but it has a read-only functionality in Windows 10.
@@ -63,13 +64,13 @@ HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered(
*pszXmlIn*
-- [in] The null–terminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. DMProcessConfigXMLFiltered accepts only OMA Client Provisioning XML (also known as WAP provisioning). It does not accept OMA DM SyncML XML (also known as SyncML).
+- [in] The null–terminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. DMProcessConfigXMLFiltered accepts only OMA Client Provisioning XML (also known as WAP provisioning). It doesn't accept OMA DM SyncML XML (also known as SyncML).
*rgszAllowedCspNode*
-- [in] Array of WCHAR\* that specify which configuration service provider nodes are allowed to be invoked.
+- [in] Array of WCHAR\* that specify which configuration service provider nodes can be invoked.
@@ -85,11 +86,11 @@ HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered(
-If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document does not contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned.
+If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document doesn't contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned.
## Return value
-Returns the standard **HRESULT** value **S\_OK** to indicate success. The following table shows the additional error codes that may be returned.
+Returns the standard **HRESULT** value **S\_OK** to indicate success. The following table shows more error codes that can be returned:
@@ -130,9 +131,9 @@ Returns the standard **HRESULT** value **S\_OK** to indicate success. The follow
## Remarks
-The processing of the XML is transactional; either the entire document gets processed successfully or none of the settings are processed. Therefore, the **DMProcessConfigXMLFiltered** function processes only one XML configuration request at a time.
+The processing of the XML is transactional. Either the entire document gets processed successfully, or none of the settings are processed. So, the **DMProcessConfigXMLFiltered** function processes only one XML configuration request at a time.
-The usage of **DMProcessConfigXMLFiltered** depends on the configuration service providers that are used. For example, if the input .provxml contains the following two settings:
+The usage of **DMProcessConfigXMLFiltered** depends on the configuration service providers that are used. For example, if the input `.provxml` contains the following two settings:
``` XML
@@ -163,9 +164,9 @@ LPCWSTR rgszAllowedCspNodes[] =
};
```
-This array of configuration service provider names indicates which .provxml contents should be present. If the provxml contains "EMAIL2" provisioning but *rgszAllowedCspNodes* does not contain EMAIL2, then **DMProcessConfigXMLFiltered** fails with an **E\_ACCESSDENIED** error code.
+This array of configuration service provider names indicates which `.provxml` contents should be present. If the provxml contains "EMAIL2" provisioning but *rgszAllowedCspNodes* doesn't contain EMAIL2, then **DMProcessConfigXMLFiltered** fails with an **E\_ACCESSDENIED** error code.
-The following code sample shows how this array would be passed in. Note that *szProvxmlContent* does not show the full XML contents for brevity. In actual usage, the "…" would contain the full XML string shown above.
+The following code sample shows how this array would be passed in. The *szProvxmlContent* doesn't show the full XML contents for brevity. In actual usage, the "…" would contain the full XML string shown above.
``` C++
WCHAR szProvxmlContent[] = L"...";
diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md
index d0a213f372..d84509518f 100644
--- a/windows/client-management/mdm/email2-csp.md
+++ b/windows/client-management/mdm/email2-csp.md
@@ -17,13 +17,14 @@ ms.date: 06/26/2017
The EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts.
-> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_MAIL capabilities to be accessed from a network configuration application.
-On the desktop, only per user configuration is supported.
+> [!Note]
+> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_MAIL capabilities to be accessed from a network configuration application.
-
+On Windows client, only per user configuration is supported.
-The following shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
-```
+The following information shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
+
+```console
./Vendor/MSFT
EMAIL2
----Account GUID
@@ -60,9 +61,10 @@ EMAIL2
------------8128000B
------------812C000B
```
-In Windows 10 Mobile, after the user’s out of box experience, an OEM or mobile operator can use the EMAIL2 configuration service provider to provision the device with a mobile operator’s proprietary mail over the air. After provisioning, the **Start** screen has a tile for the proprietary mail provider and there is also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status.
-Configuration data is not encrypted when sent over the air (OTA). Be aware that this is a potential security risk when sending sensitive configuration data, such as passwords.
+After provisioning, the **Start** screen has a tile for the proprietary mail provider and there's also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status.
+
+Configuration data isn't encrypted when sent over the air (OTA). This is a potential security risk when sending sensitive configuration data, such as passwords.
> [!IMPORTANT]
> All Add and Replace commands need to be wrapped in an Atomic section.
@@ -73,7 +75,7 @@ The configuration service provider root node.
Supported operation is Get.
***GUID***
-Defines a specific email account. A globally unique identifier (GUID) must be generated for each email account on the device. Provisioning with an account that has the same GUID as an existing one does not create the new account and Add command will fail in this case.
+Defines a specific email account. A globally unique identifier (GUID) must be generated for each email account on the device. Provisioning with an account that has the same GUID as an existing one doesn't create the new account and Add command will fail in this case.
Supported operations are Get, Add, and Delete.
@@ -86,14 +88,14 @@ The braces {} around the GUID are required in the EMAIL2 configuration service p
**ACCOUNTICON**
Optional. Returns the location of the icon associated with the account.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings, email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired.
+The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings, email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added.
**ACCOUNTTYPE**
Required. Specifies the type of account.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
Valid values are:
@@ -104,60 +106,61 @@ Valid values are:
**AUTHNAME**
Required. Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name).
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**AUTHREQUIRED**
Optional. Character string that specifies whether the outgoing server requires authentication.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-Valid values are one of the following:
+Value options:
-- 0 - Server authentication is not required.
+- 0 - Server authentication isn't required.
- 1 - Server authentication is required.
-> **Note** If this value is not specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED.
+> [!NOTE]
+> If this value isn't specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED.
**AUTHSECRET**
Optional. Character string that specifies the user's password. The same password is used for SMTP authentication.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**DOMAIN**
Optional. Character string that specifies the incoming server credentials domain. Limited to 255 characters.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**DWNDAY**
Optional. Character string that specifies how many days' worth of email should be downloaded from the server.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-Valid values are one of the following:
+Value options:
- -1: Specifies that all email currently on the server should be downloaded.
-- 7: Specifies that 7 days’ worth of email should be downloaded.
+- 7: Specifies that seven days’ worth of email should be downloaded.
- 14: Specifies that 14 days’ worth of email should be downloaded.
- 30: Specifies that 30 days’ worth of email should be downloaded.
**INSERVER**
-Required. Character string that specifies the name of the incoming server name and port number. This is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is:
+Required. Character string that specifies the name of the incoming server name and port number. This string is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is:
- server name:port number
-Supported operations are Get, Add and Replace.
+Supported operations are Get, Add, and Replace.
**LINGER**
Optional. Character string that specifies the length of time between email send/receive updates in minutes.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-Valid values are:
+Value options:
- 0 - Email updates must be performed manually.
@@ -174,16 +177,16 @@ Optional. Specifies the maximum size for a message attachment. Attachments beyon
The limit is specified in KB
-Valid values are 0, 25, 50, 125, and 250.
+Value options are 0, 25, 50, 125, and 250.
A value of 0 meaning that no limit will be enforced.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**NAME**
Optional. Character string that specifies the name of the sender displayed on a sent email. It should be set to the user’s name. Limited to 255 characters.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**OUTSERVER**
Required. Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is:
@@ -195,14 +198,15 @@ Supported operations are Get, Add, Delete, and Replace.
**REPLYADDR**
Required. Character string that specifies the reply email address of the user (usually the same as the user email address). Sending email will fail without it. Limited to 255 characters.
-Supported operations are Get, Add, Delete and Replace.
+Supported operations are Get, Add, Delete, and Replace.
**SERVICENAME**
Required. Character string that specifies the name of the email service to create or edit (32 characters maximum).
Supported operations are Get, Add, Replace, and Delete.
-> **Note** The EMAIL2 Configuration Service Provider does not support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
+> [!NOTE]
+> The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
@@ -211,19 +215,19 @@ Required. Character string that specifies the type of email service to create or
Supported operations are Get, Add, Replace, and Delete.
-> **Note** The EMAIL2 Configuration Service Provider does not support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
+> **Note** The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
**RETRIEVE**
Optional. Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated.
-Valid values are 512, 1024, 2048, 5120, 20480, and 51200.
+Value options are 512, 1024, 2048, 5120, 20480, and 51200.
Supported operations are Get, Add, Replace, and Delete.
**SERVERDELETEACTION**
-Optional. Character string that specifies how message is deleted on server. Valid values:
+Optional. Character string that specifies how message is deleted on server. Value options:
- 1 - delete message on the server
- 2 - keep the message on the server (delete to the Trash folder).
@@ -238,7 +242,7 @@ Optional. If this flag is set, the account only uses the cellular network and no
Value type is string. Supported operations are Get, Add, Replace, and Delete.
**SYNCINGCONTENTTYPES**
-Required. Specifies a bitmask for which content types are supported for syncing (eg: Mail, Contacts, Calendar).
+Required. Specifies a bitmask for which content types are supported for syncing, like Mail, Contacts, and Calendar.
- No data (0x0)
- Contacts (0x1)
@@ -257,12 +261,12 @@ Required. Specifies a bitmask for which content types are supported for syncing
Supported operations are Get, Add, Replace, and Delete.
**CONTACTSSERVER**
-Optional. Server for contact sync if it is different from the email server.
+Optional. Server for contact sync if it's different from the email server.
Supported operations are Get, Add, Replace, and Delete.
**CALENDARSERVER**
-Optional. Server for calendar sync if it is different from the email server.
+Optional. Server for calendar sync if it's different from the email server.
Supported operations are Get, Add, Replace, and Delete.
@@ -289,38 +293,38 @@ Supported operations are Get, Add, Replace, and Delete.
**SMTPALTAUTHNAME**
Optional. Character string that specifies the display name associated with the user's alternative SMTP email account.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**SMTPALTDOMAIN**
Optional. Character string that specifies the domain name for the user's alternative SMTP account.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**SMTPALTENABLED**
Optional. Character string that specifies if the user's alternate SMTP account is enabled.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-A value of "FALSE" specifies that the user's alternate SMTP email account is disabled. A value of "TRUE" specifies that the user's alternate SMTP email account is enabled.
+A value of "FALSE" means the user's alternate SMTP email account is disabled. A value of "TRUE" means that the user's alternate SMTP email account is enabled.
**SMTPALTPASSWORD**
Optional. Character string that specifies the password for the user's alternate SMTP account.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**TAGPROPS**
Optional. Defines a group of properties with non-standard element names.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**TAGPROPS/8128000B**
Optional. Character string that specifies if the incoming email server requires SSL.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-Value is one of the following:
+Value options:
-- 0 - SSL is not required.
+- 0 - SSL isn't required.
- 1 - SSL is required.
**TAGPROPS/812C000B**
@@ -328,49 +332,39 @@ Optional. Character string that specifies if the outgoing email server requires
Supported operations are Get and Replace.
-Value is one of the following:
+Value options:
-- 0 - SSL is not required.
+- 0 - SSL isn't required.
- 1 - SSL is required.
## Remarks
-When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted and all messages and other properties that the transport (for example, Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
+When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted. All messages and other properties that the transport (like Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
-For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it is left out in the \\ block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
+For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it's left out in the \\ block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
- The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set.
-- If some but not all of the outgoing server credentials parameters are present then the EMAIL2 Configuration Service Provider will be considered in error.
+- If some of the outgoing server credentials parameters are present, then the EMAIL2 Configuration Service Provider will be considered in error.
-- Account details cannot be queried unless the account GUID is known. Currently, there is no way to perform a top-level query for account GUIDs.
+- Account details cannot be queried unless the account GUID is known. Currently, there's no way to perform a top-level query for account GUIDs.
-Windows 10 Mobile supports Transport Layer Security (TLS), but this cannot be explicitly enabled through this configuration service provider, and the user cannot enable TLS through the UI. If the connection to the mail server is initiated with deferred SSL, the mail server can send STARTTLS as a server capability and TLS will be enabled. The following steps show how to enable TLS.
+If the connection to the mail server is initiated with deferred SSL, the mail server can send STARTTLS as a server capability and TLS will be enabled. The following steps show how to enable TLS.
1. The device attempts to connect to the mail server using SSL.
2. If the SSL connection fails, the device attempts to connect using deferred SSL.
-3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device does not attempt another connection.
+3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device doesn't attempt another connection.
-4. If the user did not select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection.
+4. If the user didn't select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection.
5. If the connection succeeds using any of the encryption protocols, the device requests the server capabilities.
-6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, the device enables TLS. TLS is not enabled on connections using SSL or non-SSL.
+6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, then the device enables TLS. TLS isn't enabled on connections using SSL or non-SSL.
-## Related topics
+## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md
index 0f51e05177..9397684167 100644
--- a/windows/client-management/mdm/enterprise-app-management.md
+++ b/windows/client-management/mdm/enterprise-app-management.md
@@ -1,6 +1,6 @@
---
title: Enterprise app management
-description: This topic covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows.
+description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows.
ms.assetid: 225DEE61-C3E3-4F75-BC79-5068759DFE99
ms.reviewer:
manager: dansimp
@@ -14,7 +14,7 @@ ms.date: 10/04/2021
# Enterprise app management
-This topic covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows. It is the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps.
+This article covers one of the key mobile device management (MDM) features in Windows 10. It manages the lifecycle of apps across all of Windows. It's the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps.
## Application management goals
@@ -26,20 +26,20 @@ Windows 10 offers the ability for management servers to:
- Inventory all apps for a user (Store and non-Store apps)
- Inventory all apps for a device (Store and non-Store apps)
- Uninstall all apps for a user (Store and non-Store apps)
-- Provision apps so they are installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
+- Provision apps so they're installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
- Remove the provisioned app on the device running Windows 10 for desktop editions
## Inventory your apps
-Windows 10 lets you inventory all apps deployed to a user and all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and does not include traditional Win32 apps installed via MSI or executables. When the apps are inventoried they are separated based on the following app classifications:
+Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
-- nonStore - Apps that were not acquired from the Microsoft Store.
-- System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried.
+- nonStore - Apps that weren't acquired from the Microsoft Store.
+- System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried.
These classifications are represented as nodes in the EnterpriseModernAppManagement CSP.
-The following shows the EnterpriseModernAppManagement CSP in a tree format.
+The following information shows the EnterpriseModernAppManagement CSP in a tree format:
```console
./Device/Vendor/MSFT
@@ -145,13 +145,10 @@ EnterpriseAppManagement
Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System).
-Inventory can be performed recursively at any level from the AppManagement node through the package full name. Inventory can also be performed only for a specific inventory attribute.
+Inventory can run recursively at any level from the AppManagement node through the package full name. Inventory can also run only for a specific inventory attribute.
Inventory is specific to the package full name and lists bundled packs and resources packs as applicable under the package family name.
-> [!NOTE]
-> On Windows 10 Mobile, XAP packages have the product ID in place of both the package family name and package full name.
-
Here are the nodes for each package full name:
- Name
@@ -172,11 +169,11 @@ For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](
### App inventory
-You can use the EnterpriseModernAppManagement CSP to query for all apps installed for a user or device. The query returns all apps regardless if they were installed via MDM or other methods. Inventory can be performed at the user or device level. Inventory at the device level will return information for all users on the device.
+You can use the EnterpriseModernAppManagement CSP to query for all apps installed for a user or device. The query returns all apps, even if they were installed using MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device.
-Note that performing a full inventory of a device can be resource intensive on the client based on the hardware and number of apps that are installed. The data returned can also be very large. You may want to chunk these requests to reduce the impact to clients and network traffic.
+Doing a full inventory of a device can be resource-intensive based on the hardware and number of apps that are installed. The data returned can also be large. You may want to chunk these requests to reduce the impact to clients and network traffic.
-Here is an example of a query for all apps on the device.
+Here's an example of a query for all apps on the device.
```xml
@@ -190,7 +187,7 @@ Here is an example of a query for all apps on the device.
```
-Here is an example of a query for a specific app for a user.
+Here's an example of a query for a specific app for a user.
```xml
@@ -206,7 +203,7 @@ Here is an example of a query for a specific app for a user.
### Store license inventory
-You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses regardless if they were installed via MDM or other methods. Inventory can be performed at the user or device level. Inventory at the device level will return information for all users on the device.
+You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses, event if they were installed via MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device.
Here are the nodes for each license ID:
@@ -219,7 +216,7 @@ For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](
> [!NOTE]
> The LicenseID in the CSP is the content ID for the license.
-Here is an example of a query for all app licenses on a device.
+Here's an example of a query for all app licenses on a device.
```xml
@@ -233,7 +230,7 @@ Here is an example of a query for all app licenses on a device.
```
-Here is an example of a query for all app licenses for a user.
+Here's an example of a query for all app licenses for a user.
```xml
@@ -249,13 +246,13 @@ Here is an example of a query for all app licenses for a user.
## Enable the device to install non-Store apps
-There are two basic types of apps you can deploy: Store apps and enterprise signed apps. To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment.
+There are two basic types of apps you can deploy: Store apps and enterprise signed apps. To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment.
### Unlock the device for non-Store apps
-To deploy app that are not from the Microsoft Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device provided that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
+To deploy apps that aren't from the Microsoft Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device if there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
-The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device or a root certificate in the Trusted Root of the device. The policy is not configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
+The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device, or a root certificate in the Trusted Root of the device. The policy isn't configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
For more information about the AllowAllTrustedApps policy, see [Policy CSP](policy-configuration-service-provider.md).
@@ -291,13 +288,13 @@ Here are some examples.
Development of apps on Windows 10 no longer requires a special license. You can enable debugging and deployment of non-packaged apps using ApplicationManagement/AllowDeveloperUnlock policy in Policy CSP.
-AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock is not configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
+AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock isn't configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
-Deployment of apps to Windows 10 for desktop editions requires that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. Deployment to Windows 10 Mobile does not validate whether the non-Store apps have a valid root of trust on the device.
+Deployment of apps to Windows 10 for desktop editions requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device.
For more information about the AllowDeveloperUnlock policy, see [Policy CSP](policy-configuration-service-provider.md).
-Here is an example.
+Here's an example.
```xml
@@ -327,20 +324,20 @@ Here is an example.
## Install your apps
-You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store or in some cases from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
+You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store. Or, they're installed from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
### Deploy apps to user from the Store
-To deploy an app to a user directly from the Microsoft Store, the management server performs an Add and Exec commands on the AppInstallation node of the EnterpriseModernAppManagement CSP. This is only supported in the user context and not supported in the device context.
+To deploy an app to a user directly from the Microsoft Store, the management server runs an Add and Exec command on the AppInstallation node of the EnterpriseModernAppManagement CSP. This feature is only supported in the user context, and not supported in the device context.
-If you purchased an app from the Store for Business and the app is specified for an online license, the app and license must be acquired directly from the Microsoft Store.
+If you purchased an app from the Store for Business and the app is specified for an online license, then the app and license must be acquired directly from the Microsoft Store.
Here are the requirements for this scenario:
-- The app is assigned to a user Azure Active Directory (AAD) identity in the Store for Business. You can do this directly in the Store for Business or through a management server.
+- The app is assigned to a user Azure Active Directory (Azure AD) identity in the Store for Business. You can assign directly in the Store for Business or through a management server.
- The device requires connectivity to the Microsoft Store.
-- Microsoft Store services must be enabled on the device. Note that the UI for the Microsoft Store can be disabled by the enterprise admin.
-- The user must be signed in with their AAD identity.
+- Microsoft Store services must be enabled on the device. The UI for the Microsoft Store can be disabled by the enterprise admin.
+- The user must be signed in with their Azure AD identity.
Here are some examples.
@@ -364,9 +361,9 @@ Here are the changes from the previous release:
1. The "{CatID}" reference should be updated to "{ProductID}". This value is acquired as a part of the Store for Business management tool.
2. The value for flags can be "0" or "1"
- When using "0" the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1" the management tool does not call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available.
+ When using "0", the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1", the management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available.
-3. The skuid is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync.
+3. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync.
### Deploy an offline license to a user
@@ -376,10 +373,10 @@ The app license only needs to be deployed as part of the initial installation of
In the SyncML, you need to specify the following information in the Exec command:
-- License ID - This is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business.
-- License Content - This is specified in the data section. The License Content is the Base64 encoded blob of the license.
+- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business.
+- License Content - This content is specified in the data section. The License Content is the Base64 encoded blob of the license.
-Here is an example of an offline license installation.
+Here's an example of an offline license installation.
```xml
@@ -405,15 +402,15 @@ Here are the requirements for this scenario:
- The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
-- The device does not need to have connectivity to the Microsoft Store, store services, or the have the Microsoft Store UI be enabled.
-- The user must be logged in, but association with AAD identity is not required.
+- The device doesn't need to have connectivity to the Microsoft Store, store services, or have the Microsoft Store UI be enabled.
+- The user must be logged in, but association with Azure AD identity isn't required.
> [!NOTE]
> You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
-Here is an example of a line-of-business app installation.
+Here's an example of a line-of-business app installation.
```xml
@@ -440,7 +437,7 @@ Here is an example of a line-of-business app installation.
```
-Here is an example of an app installation with dependencies.
+Here's an example of an app installation with dependencies.
```xml
@@ -474,7 +471,7 @@ Here is an example of an app installation with dependencies.
```
-Here is an example of an app installation with dependencies and optional packages.
+Here's an example of an app installation with dependencies and optional packages.
```xml
@@ -516,23 +513,23 @@ Here is an example of an app installation with dependencies and optional package
### Provision apps for all users of a device
-Provisioning allows you to stage the app to the device and all users of the device can have the app registered on their next login. This is only supported for app purchased from the Store for Business and the app is specified for an offline license or the app is a non-Store app. The app must be offered from a hosted location. The app is installed as a local system. To install to a local file share, the 'local system' of the device must have access to the share.
+Provisioning allows you to stage the app to the device and all users of the device can have the app registered on their next login. This feature is only supported for app purchased from the Store for Business, and the app is specified for an offline license or the app is a non-Store app. The app must be offered from a hosted location. The app is installed as a local system. To install to a local file share, the 'local system' of the device must have access to the share.
Here are the requirements for this scenario:
- The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
-- The device does not need to have connectivity to the Microsoft Store, or store services enabled.
-- The device does not need any AAD identity or domain membership.
+- The device doesn't need to have connectivity to the Microsoft Store, or store services enabled.
+- The device doesn't need any Azure AD identity or domain membership.
- For nonStore app, your device must be unlocked.
-- For Store offline apps, the required licenses must be deployed prior to deploying the apps.
+- For Store offline apps, the required licenses must be deployed before deploying the apps.
-To provision app for all users of a device from a hosted location, the management server performs an Add and Exec command on the AppInstallation node in the device context. The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
+To provision app for all users of a device from a hosted location, the management server runs an Add and Exec command on the AppInstallation node in the device context. The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
> [!NOTE]
> When you remove the provisioned app, it will not remove it from the users that already installed the app.
-Here is an example of app installation.
+Here's an example of app installation.
> [!NOTE]
> This is only supported in Windows 10 for desktop editions.
@@ -564,12 +561,12 @@ Here is an example of app installation.
The HostedInstall Exec command contains a Data node that requires an embedded XML. Here are the requirements for the data XML:
-- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPs location.
+- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPS location.
- Dependencies can be specified if required to be installed with the package. This is optional.
The DeploymentOptions parameter is only available in the user context.
-Here is an example of app installation with dependencies.
+Here's an example of app installation with dependencies.
> [!NOTE]
> This is only supported in Windows 10 for desktop editions.
@@ -608,22 +605,22 @@ Here is an example of app installation with dependencies.
### Get status of app installations
-When an app installation is completed, a Windows notification is sent. You can also query the status of using the AppInstallation node. Here is the list of information you can get back in the query:
+When an app installation is completed, a Windows notification is sent. You can also query the status of using the AppInstallation node. Here's the list of information you can get back in the query:
- Status - indicates the status of app installation.
- - NOT\_INSTALLED (0) - The node was added, but the execution was not completed.
- - INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success this value is updated.
+ - NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed.
+ - INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated.
- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
- - INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear.
-- LastError - This is the last error reported by the app deployment server.
+ - INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear.
+- LastError - The last error reported by the app deployment server.
- LastErrorDescription - Describes the last error reported by the app deployment server.
-- Status - This is an integer that indicates the progress of the app installation. In cases of an https location, this shows the estimated download progress.
+- Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress.
- Status is not available for provisioning and only used for user-based installations. For provisioning, the value is always 0.
+ Status isn't available for provisioning and only used for user-based installations. For provisioning, the value is always 0.
When an app is installed successfully, the node is cleaned up and no longer present. The status of the app can be reported under the AppManagement node.
-Here is an example of a query for a specific app installation.
+Here's an example of a query for a specific app installation.
```xml
@@ -637,7 +634,7 @@ Here is an example of a query for a specific app installation.
```
-Here is an example of a query for all app installations.
+Here's an example of a query for all app installations.
```xml
@@ -653,9 +650,9 @@ Here is an example of a query for all app installations.
### Alert for installation completion
-Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
+Application installations can take some time to complete. So, they're done asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
-Here is an example of an alert.
+Here's an example of an alert.
```xml
@@ -676,10 +673,10 @@ Here is an example of an alert.
For user-based installation, use the ./User path and for provisioning of apps, use the ./Device path.
-The Data field value of 0 (zero) indicates success, otherwise it is an error code. If there is a failure, you can get more details from the AppInstallation node.
+The Data field value of 0 (zero) indicates success. Otherwise it's an error code. If there's a failure, you can get more details from the AppInstallation node.
> [!NOTE]
-> At this time, the alert for Store app installation is not yet available.
+> At this time, the alert for Store app installation isn't yet available.
## Uninstall your apps
@@ -687,12 +684,12 @@ The Data field value of 0 (zero) indicates success, otherwise it is an error cod
You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes:
- AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business.
-- nonStore - These apps that were not acquired from the Microsoft Store.
-- System - These apps are part of the OS. You cannot uninstall these apps.
+- nonStore - These apps that weren't acquired from the Microsoft Store.
+- System - These apps are part of the OS. You can't uninstall these apps.
To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family name and package full name.
-Here is an example for uninstalling all versions of an app for a user.
+Here's an example for uninstalling all versions of an app for a user.
```xml
@@ -706,7 +703,7 @@ Here is an example for uninstalling all versions of an app for a user.
```
-Here is an example for uninstalling a specific version of the app for a user.
+Here's an example for uninstalling a specific version of the app for a user.
```xml
@@ -722,7 +719,7 @@ Here is an example for uninstalling a specific version of the app for a user.
### Removed provisioned apps from a device
-You can remove provisioned apps from a device for a specific version or for all versions of a package family. When a provisioned app is removed, it is not available to future users for the device. Logged in users who has the app registered to them will continue to have access to the app. If you want to removed the app for those users, you must explicitly uninstall the app for those users.
+You can remove provisioned apps from a device for a specific version, or for all versions of a package family. When a provisioned app is removed, it isn't available to future users for the device. Logged in users who have the app registered to them will continue to have access to the app. If you want to remove the app for those users, you must explicitly uninstall the app for those users.
> [!NOTE]
> You can only remove an app that has an inventory value IsProvisioned = 1.
@@ -730,7 +727,7 @@ You can remove provisioned apps from a device for a specific version or for all
Removing provisioned app occurs in the device context.
-Here is an example for removing a provisioned app from a device.
+Here's an example for removing a provisioned app from a device.
```xml
@@ -744,7 +741,7 @@ Here is an example for removing a provisioned app from a device.
```
-Here is an example for removing a specific version of a provisioned app from a device:
+Here's an example for removing a specific version of a provisioned app from a device:
```xml
@@ -762,7 +759,7 @@ Here is an example for removing a specific version of a provisioned app from a d
You can remove app licenses from a device per app based on the content ID.
-Here is an example for removing an app license for a user.
+Here's an example for removing an app license for a user.
```xml
@@ -776,7 +773,7 @@ Here is an example for removing an app license for a user.
```
-Here is an example for removing an app license for a provisioned package (device context).
+Here's an example for removing an app license for a provisioned package (device context).
```xml
@@ -792,11 +789,11 @@ Here is an example for removing an app license for a provisioned package (device
### Alert for app uninstallation
-Uninstallation of an app can take some time complete, hence the uninstallation is performed asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
+Uninstallation of an app can take some time complete. So, the uninstall is run asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
For user-based uninstallation, use ./User in the LocURI, and for provisioning, use ./Device in the LocURI.
-Here is an example. There is only one uninstall for hosted and store apps.
+Here's an example. There's only one uninstall for hosted and store apps.
```xml
@@ -822,7 +819,7 @@ Apps installed on a device can be updated using the management server. Apps can
To update an app from Microsoft Store, the device requires contact with the store services.
-Here is an example of an update scan.
+Here's an example of an update scan.
```xml
@@ -836,7 +833,7 @@ Here is an example of an update scan.
```
-Here is an example of a status check.
+Here's an example of a status check.
```xml
@@ -860,11 +857,11 @@ A provisioned app automatically updates when an app update is sent to the user.
### Prevent app from automatic updates
-You can prevent specific apps from being automatically updated. This allows you to turn on auto-updates for apps, with specific apps excluded as defined by the IT admin.
+You can prevent specific apps from being automatically updated. This feature allows you to turn on auto-updates for apps, with specific apps excluded as defined by the IT admin.
-Turning off updates only applies to updates from the Microsoft Store at the device level. This feature is not available at a user level. You can still update an app if the offline packages is pushed from hosted install location.
+Turning off updates only applies to updates from the Microsoft Store at the device level. This feature isn't available at a user level. You can still update an app if the offline packages are pushed from hosted install location.
-Here is an example.
+Here's an example.
```xml
@@ -882,96 +879,24 @@ Here is an example.
```
-## Additional app management scenarios
+## More app management scenarios
-The following subsections provide information about additional settings configurations.
-
-### Restrict app installation to the system volume
-
-You can install app on non-system volumes, such as a secondary partition or removable media (USB or SD cards). Using the RestrictApptoSystemVolume policy, you can prevent apps from getting installed or moved to non-system volumes. For more information about this policy, see [Policy CSP](policy-configuration-service-provider.md).
-
-> [!NOTE]
-> This is only supported in mobile devices.
-
-Here is an example.
-
-```xml
-
-
- 1
- -
-
- ./Vendor/MSFT/Policy/Result/ApplicationManagement/RestrictAppToSystemVolume?list=StructData
-
-
-
-
-
- 2
- -
-
- ./Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppToSystemVolume
-
-
- int
- text/plain
-
- 1
-
-
-```
-
-### Restrict AppData to the system volume
-
-In Windows 10 Mobile IT administrators can set a policy to restrict user application data for a Microsoft Store app to the system volume, regardless of where the package is installed or moved.
-
-> [!NOTE]
-> The feature is only for Windows 10 Mobile.
-
-The RestrictAppDataToSystemVolume policy in [Policy CSP](policy-configuration-service-provider.md) enables you to restrict all user application data to stay on the system volume. When the policy is not configured or if it is disabled, and you move a package or when it is installed to a difference volume, then the user application data will moved to the same volume. You can set this policy to 0 (off, default) or 1.
-
-Here is an example.
-
-```xml
-
-
- 1
- -
-
- ./Vendor/MSFT/Policy/Result/ApplicationManagement/RestrictAppDataToSystemVolume?list=StructData
-
-
-
-
-
- 2
- -
-
- ./Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppDataToSystemVolume
-
-
- int
- text/plain
-
- 1
-
-
-```
+The following subsections provide information about more settings configurations.
### Enable shared user app data
-The Universal Windows app has the ability to share application data between the users of the device. The ability to share data can be set at a package family level or per device.
+The Universal Windows app can share application data between the users of the device. The ability to share data can be set at a package family level or per device.
> [!NOTE]
> This is only applicable to multi-user devices.
The AllowSharedUserAppData policy in [Policy CSP](policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API.
-If you disable this policy, applications cannot share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there is any shared data, and /Remove-SharedAppxData to remove it).
+If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there's any shared data, and /Remove-SharedAppxData to remove it).
The valid values are 0 (off, default value) and 1 (on).
-Here is an example.
+Here's an example.
```xml
diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md
index 792bdcb30c..bf30b7152c 100644
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@@ -40,6 +40,7 @@ The MDM security baseline includes policies that cover the following areas:
For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see:
+- [MDM Security baseline for Windows 11](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/Windows11-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 2004](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/2004-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 1909](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1909-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 1903](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1903-MDM-SecurityBaseLine-Document.zip)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index 9bd0f0dee9..c67e00367b 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -29,7 +29,6 @@ ms.date: 07/22/2020
- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives)
- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#defender-allowfullscanremovabledrivescanning)
- [Defender/AllowIOAVProtection](policy-csp-defender.md#defender-allowioavprotection)
-- [Defender/AllowIntrusionPreventionSystem](policy-csp-defender.md#defender-allowintrusionpreventionsystem)
- [Defender/AllowOnAccessProtection](policy-csp-defender.md#defender-allowonaccessprotection)
- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#defender-allowrealtimemonitoring)
- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#defender-allowscanningnetworkfiles)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index b64391c88d..8accc2e4bc 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -5841,9 +5841,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
Defender/AllowIOAVProtection
-
- Defender/AllowIntrusionPreventionSystem
-
Defender/AllowOnAccessProtection
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index adb1bec8af..52ab4dd052 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -213,22 +213,22 @@ ms.localizationpriority: medium
| Pro |
Yes |
- Yes |
+ No |
| Business |
Yes |
- Yes |
+ No |
| Enterprise |
Yes |
- Yes |
+ No |
| Education |
Yes |
- Yes |
+ No |
@@ -291,22 +291,22 @@ Most restricted value: 0
| Pro |
Yes |
- Yes |
+ No |
| Business |
Yes |
- Yes |
+ No |
| Enterprise |
Yes |
- Yes |
+ No |
| Education |
Yes |
- Yes |
+ No |