deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into v-smandalika-5494946-B3

Browse Source
This commit is contained in:
Siddarth Mandalika 2021-11-09 11:16:19 +05:30
commit d3c52c9bea
68 changed files with 1167 additions and 2575 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
.openpublishing.redirection.json
View File

@ -1,5 +1,95 @@
{
"redirections": [
{
"source_path": "windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md",
"redirect_url": "https://support.microsoft.com/windows/windows-phone-8-1-end-of-support-faq-7f1ef0aa-0aaf-0747-3724-5c44456778a3",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/deviceinstanceservice-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/cm-proxyentries-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/bootstrap-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-textinput.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-shell.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-rcspresence.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-otherassets.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-nfc.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-multivariant.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-modemconfigurations.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-messaging.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-internetexplorer.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-initialsetup.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-deviceinfo.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-calling.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-callandmessagingenhancement.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-automatictime.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/wcd/wcd-theme.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",

263
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -13,9 +13,15 @@ author: dansimp
# Azure Active Directory integration with MDM
Azure Active Directory is the world largest enterprise cloud identity management service. Its used by millions of organizations to access Office 365 and thousands of business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows 10 provides an integrated configuration experience with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in a smooth integrated flow.
Azure Active Directory is the world largest enterprise cloud identity management service. Its used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow.
Once a device is enrolled in MDM, the MDM can enforce compliance with corporate policies, add or remove apps, and more. Additionally, the MDM can report a devices compliance Azure AD. This enables Azure AD to allow access to corporate resources or applications secured by Azure AD only to devices that comply with policies. To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This topic describes the steps involved.
Once a device is enrolled in MDM, the MDM:
- Can enforce compliance with organization policies, add or remove apps, and more.
- Can report a devices compliance in Azure AD.
- Azure AD can allow access to organization resources or applications secured by Azure AD to devices that comply with policies.
To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This article describes the steps involved.
## Connect to Azure AD
@ -32,9 +38,9 @@ For personal devices (BYOD):
Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as Microsoft Endpoint Configuration Manager. In Windows 10, its also possible to manage domain joined devices with an MDM.
Windows 10 introduces a new way to configure and deploy corporate owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller.
Windows 10 introduces a new way to configure and deploy organization owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller.
Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device will not be joined to Azure AD.
Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device won't be joined to Azure AD.
> [!IMPORTANT]
> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](/previous-versions/azure/dn499825(v=azure.100)) license.
@ -42,7 +48,7 @@ Azure AD Join also enables company owned devices to be automatically enrolled in
### BYOD scenario
Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If thats the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. Its important to note that in the BYOD case, users can reject the MDM Terms of Use—in which case the device is not enrolled in MDM and access to corporate resources is typically restricted.
Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If thats the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. In the BYOD case, users can reject the MDM Terms of Use. The device isn't enrolled in MDM and access to organization resources is typically restricted.
## Integrated MDM enrollment and UX
@ -50,18 +56,18 @@ Two Azure AD MDM enrollment scenarios:
- Joining a device to Azure AD for company-owned devices
- Adding a work account to a personal device (BYOD)
In both scenarios, Azure AD is responsible for authenticating the user and the device, which provides a verified unique device identifier that can be used for MDM enrollment.
In both scenarios, Azure AD authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment.
In both scenarios, the enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization.
In both scenarios, the enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN.
In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It is important that MDM vendors who chose to integrate with Azure AD respect the Windows 10 design guidelines to the letter. This includes using a responsive web design and respecting the Windows accessibility guidelines, which includes the forward and back buttons that are properly wired to the navigation logic. Additional details are provided later in this topic.
In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It's important that MDM vendors who integrate with Azure AD respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article.
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service. For more information, see solution \#2 in [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios is similar.
Once a user has an Azure AD account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for organization scenarios or BYOD scenarios is similar.
> [!NOTE]
> Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
> Users can't remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
### MDM endpoints involved in Azure ADintegrated enrollment
@ -70,87 +76,86 @@ Azure AD MDM enrollment is a two-step process:
1. Display the Terms of Use and gather user consent.
This is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM.
This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM.
2. Enroll the device.
This is an active flow where Windows OMA DM agent calls the MDM service to enroll the device.
This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device.
To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use endpoint and an MDM enrollment endpoint.
<a href="" id="terms-of-use-endpoint-"></a>**Terms of Use endpoint**
Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting users consent before the actual enrollment phase begins.
Its important to understand that the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g., users in certain geographies may be subject to stricter device management policies).
Its important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies.
The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. Its not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. Its not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
<a href="" id="mdm-enrollment-endpoint"></a>**MDM enrollment endpoint**
After the users accepts the Terms of Use, the device is registered in Azure AD and the automatic MDM enrollment begins.
After the users accepts the Terms of Use, the device is registered in Azure AD. Automatic MDM enrollment begins.
The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Subsequently, the device is enrolled for management with the MDM. This is done by calling the enrollment endpoint and requesting enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is made available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
![azure ad enrollment flow.](images/azure-ad-enrollment-flow.png)
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this topic.
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article.
## Make the MDM a reliable party of Azure AD
To participate in the integrated enrollment flow outlined in the previous section, the MDM must be able to consume access tokens issued by Azure AD. To report compliance to Azure AD, the MDM must be able to authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api).
To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Azure AD. To report compliance with Azure AD, the MDM must authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api).
### Add a cloud-based MDM
A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It is a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661).
> [!NOTE]
> For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
The keys used by the MDM application to request access tokens from Azure AD are managed within the tenant of the MDM vendor and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, regardless of the customer tenent to which the device being managed belongs.
The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, whatever the customer tenent the managed device belongs.
Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery.
1. Log in to the Azure Management Portal using an admin account in your home tenant.
2. In the left navigation, click on the **Active Directory**.
2. In the left navigation, select **Active Directory**.
3. Click the directory tenant where you want to register the application.
3. Select the directory tenant where you want to register the application.
Ensure that you are logged into your home tenant.
Ensure you're logged into your home tenant.
4. Click the **Applications** tab.
4. Select the **Applications** tab.
5. In the drawer, click **Add**.
5. In the drawer, select **Add**.
6. Click **Add an application my organization is developing**.
6. Select **Add an application my organization is developing**.
7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then click **Next**.
7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then select **Next**.
8. Enter the login URL for your MDM service.
9. For the App ID, enter **https://&lt;your\_tenant\_name>/ContosoMDM**, then click OK.
9. For the App ID, enter **https://&lt;your\_tenant\_name>/ContosoMDM**, then select OK.
10. While still in the Azure portal, click the **Configure** tab of your application.
10. While still in the Azure portal, select the **Configure** tab of your application.
11. Mark your application as **multi-tenant**.
12. Find the client ID value and copy it.
You will need this later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery.
You'll need this ID later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery.
13. Generate a key for your application and copy it.
You will need this to call the Azure AD Graph API to report device compliance. This is covered in the subsequent section.
You need this key to call the Azure AD Graph API to report device compliance. This information is covered in the next section.
For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
### Add an on-premises MDM
An on-premises MDM application is inherently different that a cloud MDM. It is a single-tenant application that is present uniquely within the tenant of the customer. Therefore, customers must add the application directly within their own tenant. Additionally, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD.
An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD.
To add an on-premises MDM application to the tenant, there is an entry under the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application**. Administrators can configure the required URLs for enrollment and Terms of Use.
To add an on-premises MDM application to the tenant, use the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application**. Administrators can configure the required URLs for enrollment and Terms of Use.
Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance.
@ -162,16 +167,16 @@ The application keys used by your MDM service are a sensitive resource. They sho
For security best practices, see [Windows Azure Security Essentials](https://go.microsoft.com/fwlink/p/?LinkId=613715).
You can rollover the application keys used by a cloud-based MDM service without requiring a customer interaction. There is a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
You can rollover the application keys used by a cloud-based MDM service without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
For the on-premises MDM, the keys used to authenticate with Azure AD are within the tenant of the customer and must be rolled over by the customer's administrator. In this case, you should provide guidance to the customers about rolling over and protecting the keys to improved security.
For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and must be rolled over by the customer's administrator. To improve security, provide guidance to customers about rolling over and protecting the keys.
## Publish your MDM app to Azure AD app gallery
IT administrators use the Azure AD app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Azure AD.
The following image illustrates how MDM applications will show up in the Azure app gallery in a category dedicated to MDM software.
The following image show how MDM applications show up in the Azure app gallery.
![azure ad add an app for mdm.](images/azure-ad-app-gallery.png)
@ -196,7 +201,7 @@ The following table shows the required information to create an entry in the Azu
<tbody>
<tr class="odd">
<td><p><strong>Application ID</strong></p></td>
<td><p>The client ID of your MDM app that is configured within your tenant. This is the unique identifier for your multi-tenant app.</p></td>
<td><p>The client ID of your MDM app that is configured within your tenant. This ID is the unique identifier for your multi-tenant app.</p></td>
</tr>
<tr class="even">
<td><p><strong>Publisher</strong></p></td>
@ -204,7 +209,7 @@ The following table shows the required information to create an entry in the Azu
</tr>
<tr class="odd">
<td><p><strong>Application URL</strong></p></td>
<td><p>A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL is not used for the actual enrollment.</p></td>
<td><p>A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL isn't used for the actual enrollment.</p></td>
</tr>
<tr class="even">
<td><p><strong>Description</strong></p></td>
@ -220,31 +225,30 @@ The following table shows the required information to create an entry in the Azu
### Add on-premises MDM to the app gallery
There are no special requirements for adding on-premises MDM to the app gallery. There is a generic entry for administrator to add an app to their tenant.
There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrator to add an app to their tenant.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. These are used to obtain authorization to access the Azure AD Graph API and for reporting device compliance.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. Thee ID and key obtain authorization to access the Azure AD Graph API and for reporting device compliance.
## Themes
The pages rendered by the MDM as part of the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared templates ensure a seamless experience for the customers.
The pages rendered by the MDM in the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). These templates are important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right.
There are 3 distinct scenarios:
There are three distinct scenarios:
1. MDM enrollment as part of Azure AD Join in Windows OOBE.
2. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**.
3. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD).
Scenarios 1, 2, and 3 are available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. Scenarios 1 and 3 are available in Windows 10 Mobile. Support for scenario 1 was added in Windows 10 Mobile, version 1511.
These scenarios support Windows client Pro, Enterprise, and Education.
The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip).
The CSS files provided by Microsoft contain version information and we recommend that you use the latest version. There are separate CSS files for Windows client devices, OOBE, and post-OOBE experiences. [Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip).
- For Windows 10, use **oobe-desktop.css**
- For Windows 11, use **oobe-light.css**
### Using themes
An MDM page must adhere to a predefined theme depending on the scenario that is displayed. For example, if the CXH-HOSTHTTP header is FRX, which is the OOBE scenario, the page must support a dark theme with blue background color, which uses WinJS file Ui-dark.css ver 4.0 and oobe-desktop.css ver 1.0.4.
An MDM page must adhere to a predefined theme depending on the scenario that is displayed. For example, if the CXH-HOSTHTTP header is FRX, which is the OOBE scenario, then the page must support a dark theme with blue background color, which uses WinJS file Ui-dark.css ver 4.0 and oobe-desktop.css ver 1.0.4.
<table>
<colgroup>
@ -285,11 +289,11 @@ An MDM page must adhere to a predefined theme depending on the scenario that is
## Terms of Use protocol semantics
The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows performs a full-page redirect to this endpoint. This enables the MDM to display the terms and conditions that apply and allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue.
The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue.
### Redirect to the Terms of Use endpoint
This is a full page redirect to the Terms of User endpoint hosted by the MDM. Here is an example URL, https:<span></span>//fabrikam.contosomdm.com/TermsOfUse.
This redirect is a full page redirect to the Terms of User endpoint hosted by the MDM. Here's an example URL, https:<span></span>//fabrikam.contosomdm.com/TermsOfUse.
The following parameters are passed in the query string:
@ -311,15 +315,15 @@ The following parameters are passed in the query string:
</tr>
<tr class="even">
<td><p>client-request-id</p></td>
<td><p>A GUID that is used to correlate logs for diagnostic and debugging purposes. You use this parameter to log or trace the state of the enrollment request to help find the root cause in case of failures.</p></td>
<td><p>A GUID that is used to correlate logs for diagnostic and debugging purposes. Use this parameter to log or trace the state of the enrollment request to help find the root cause of failures.</p></td>
</tr>
<tr class="odd">
<td><p>api-version</p></td>
<td><p>Specifies the version of the protocol requested by the client. This provides a mechanism to support version revisions of the protocol.</p></td>
<td><p>Specifies the version of the protocol requested by the client. This value provides a mechanism to support version revisions of the protocol.</p></td>
</tr>
<tr class="even">
<td><p>mode</p></td>
<td><p>Specifies that the device is corporate owned when mode=azureadjoin. This parameter is not present for BYOD devices.</p></td>
<td><p>Specifies that the device is organization owned when mode=azureadjoin. This parameter isn't present for BYOD devices.</p></td>
</tr>
</tbody>
</table>
@ -327,7 +331,7 @@ The following parameters are passed in the query string:
### Access token
A bearer access token is issued by Azure AD is passed in the authorization header of the HTTP request. Here is a typical format:
Azure AD issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format:
**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw…
@ -355,7 +359,7 @@ The following claims are expected in the access token passed by Windows to the T
</tr>
<tr class="odd">
<td><p>TID</p></td>
<td><p>A claim representing the tenant ID of the tenant. In the example above, it&#39;s Fabrikam.</p></td>
<td><p>A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.</p></td>
</tr>
<tr class="even">
<td><p>Resource</p></td>
@ -366,7 +370,7 @@ The following claims are expected in the access token passed by Windows to the T
<br/>
> [!NOTE]
> There is no device ID claim in the access token because the device may not yet be enrolled at this time.
> There's no device ID claim in the access token because the device may not yet be enrolled at this time.
To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api).
@ -381,7 +385,7 @@ The MDM is expected to validate the signature of the access token to ensure it w
### Terms of Use content
The MDM may perform other additional redirects as necessary before displaying the Terms of Use content to the user. The appropriate Terms of Use content should be returned to the caller (Windows) so it can be displayed to the end user in the browser control.
The MDM may do other more redirects as necessary before displaying the Terms of Use content to the user. The appropriate Terms of Use content should be returned to the caller (Windows) so it can be displayed to the end user in the browser control.
The Terms of Use content should contain the following buttons:
@ -395,29 +399,28 @@ The Terms of Use content must be consistent with the theme used for the other pa
At this point, the user is on the Terms of Use page shown during the OOBE or from the Setting experiences. The user has the following options on the page:
- **User clicks on the Accept button** - The MDM must redirect to the URI specified by the redirect\_uri parameter in the incoming request. The following query string parameters are expected:
- **IsAccepted** - This mandatory Boolean must be set to true.
- **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes.
- Here is an example redirect - ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true
- **IsAccepted** - This Boolean value is required, and must be set to true.
- **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this blob to make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes.
- Here's an example redirect - `ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true`
- **User clicks on the Decline button** - The MDM must redirect to the URI specified in redirect\_uri in the incoming request. The following query string parameters are expected:
- **IsAccepted** - This mandatory Boolean must be set to false. This also applies if the user skipped the Terms of Use.
- **OpaqueBlob** - This parameter is not expected to be used because the enrollment is stopped with an error message displayed to the user.
- **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use.
- **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user.
Users skip the Terms of Use when they are adding a Microsoft work account to their device. However, then cannot skip it during the Azure AD Join process. The decline button must not be shown in the Azure AD Join process because MDM enrollment cannot be declined by the user if configured by the administrator for the Azure AD Join.
Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Azure AD Join process. Don't show the decline button in the Azure AD Join process. MDM enrollment can't be declined by the user if configured by the administrator for the Azure AD Join.
We recommend that you send the client-request-id parameters in the query string as part of this redirect response.
### Terms Of Use Error handling
If an error was encountered during the terms of use processing, the MDM can return two parameters an error and error\_description parameter in its redirect request back to Windows. Note that the URL should be encoded and the contents of the error\_description should be in English plain text. This text is not visible to the end-user and therefore localization of the error description text is not a concern.
If an error occurs during the terms of use processing, the MDM can return two parameters an error and error\_description parameter in its redirect request back to Windows. The URL should be encoded, and the contents of the error\_description should be in English plain text. This text isn't visible to the end-user. So, localization of the error description text isn't a concern.
Here is the URL format:
Here's the URL format:
```console
HTTP/1.1 302
Location:
<redirect_uri>?error=access_denied&error_description=Access%20is%20denied%2E
Example:
HTTP/1.1 302
Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Access%20is%20denied%2E
@ -471,7 +474,7 @@ The following table shows the error codes.
## Enrollment protocol with Azure AD
With Azure integrated MDM enrollment, there is no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.
With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.
<table>
<colgroup>
@ -484,8 +487,8 @@ With Azure integrated MDM enrollment, there is no discovery phase and the discov
<tr class="header">
<th>Detail</th>
<th>Traditional MDM enrollment</th>
<th>Azure AD Join (corporate-owned device)</th>
<th>Azure AD add a work account (user-owned device)</th>
<th>Azure AD Join (organization-owned device)</th>
<th>Azure AD adds a work account (user-owned device)</th>
</tr>
</thead>
<tbody>
@ -598,12 +601,6 @@ With Azure integrated MDM enrollment, there is no discovery phase and the discov
<li>Policy</li>
<li>w7 APPLICATION</li>
</ul>
<p>Legacy support:</p>
<ul>
<li>EnterpriseAppManagement (Windows Phone 8.1)</li>
</ul></td>
<td><p>same as traditional MDM enrollment</p></td>
<td><p>same as traditional MDM enrollment</p></td>
</tr>
</tbody>
</table>
@ -612,13 +609,13 @@ With Azure integrated MDM enrollment, there is no discovery phase and the discov
## Management protocol with Azure AD
There are two different MDM enrollment types that take advantage of integration with Azure AD and therefore make use of Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
There are two different MDM enrollment types that integrate with Azure AD, and use Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
<a href="" id="multiple-user-management-for-azure-ad-joined-devices"></a>**Multiple user management for Azure AD joined devices**
In this scenario the MDM enrollment applies to every Azure AD user who logs on to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, conclude what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an additional HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token is not sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user logs on to the machine, Azure AD user token is not available to OMA-DM process. Typically MDM enrollment completes before Azure AD user logs on to machine and the initial management session does not contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an additional HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically MDM enrollment completes before Azure AD user sign in to machine and the initial management session does not contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
<a href="" id="adding-a-work-account-and-mdm-enrollment-to-a-device"></a>**Adding a work account and MDM enrollment to a device**
In this scenario, the MDM enrollment applies to a single user who initially added his work account and enrolled the device. In this enrollment type the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device.
In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device.
<a href="" id="evaluating-azure-ad-user-tokens"></a>**Evaluating Azure AD user tokens**
The Azure AD token is in the HTTP Authorization header in the following format:
@ -634,14 +631,14 @@ Additional claims may be present in the Azure AD token, such as:
- Device ID - identifies the device that is checking in
- Tenant ID
Access token issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to initiate the enrollment process. There are a couple of options to evaluate the tokens:
Access tokens issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens:
- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JSON Web Token Handler](/previous-versions/dotnet/framework/security/json-web-token-handler).
- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
## Device Alert 1224 for Azure AD user token
An alert is sent when the DM session starts and there is an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example:
An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example:
```xml
Alert Type: com.microsoft/MDM/AADUserToken
@ -693,19 +690,19 @@ Here's an example.
## Report device compliance to Azure AD
Once a device is enrolled with the MDM for management, corporate policies configured by the IT administrator are enforced on the device. The device compliance with configured policies is evaluated by the MDM and then reported to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD.
Once a device is enrolled with the MDM for management, organization policies configured by the IT administrator are enforced on the device. The device compliance with configured policies is evaluated by the MDM and then reported to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD.
For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822).
- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. Use this key to authenticate the MDM service with Azure AD, in order to obtain authorization.
- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This is because each on-premises instance of your MDM product has a different tenant-specific key. For this purpose, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD.
- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD.
- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD.
### Use Azure AD Graph API
The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device currently being managed by it.
The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device being managed by it.
> [!NOTE]
> This is only applicable for approved MDM apps on Windows 10 devices.
> This API is only applicable for approved MDM apps on Windows 10 devices.
```console
Sample Graph API Request:
@ -721,20 +718,20 @@ Content-Type: application/json
Where:
- **contoso.com** This is the name of the Azure AD tenant to whose directory the device has been joined.
- **db7ab579-3759-4492-a03f-655ca7f52ae1** This is the device identifier for the device whose compliance information is being reported to Azure AD.
- **eyJ0eXAiO**……… This is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Azure AD Graph API. The access token is placed in the HTTP authorization header of the request.
- **contoso.com** This value is the name of the Azure AD tenant to whose directory the device has been joined.
- **db7ab579-3759-4492-a03f-655ca7f52ae1** This value is the device identifier for the device whose compliance information is being reported to Azure AD.
- **eyJ0eXAiO**……… This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Azure AD Graph API. The access token is placed in the HTTP authorization header of the request.
- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status.
- **api-version** - Use this parameter to specify which version of the graph API is being requested.
Response:
- Success - HTTP 204 with No Content.
- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant cannot be found.
- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found.
## Data loss during unenrollment from Azure Active Directory Join
When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
![aadj unenrollment.](images/azure-ad-unenrollment.png)
@ -756,182 +753,182 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di
<tbody>
<tr class="odd">
<td>0x80180001</td>
<td>&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR</td>
<td>"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td>0x80180002</td>
<td>&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_DEVICE_AUTHENTICATION_ERROR</td>
<td>"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x80180003</td>
<td>&quot;idErrorAuthorizationFailure&quot;, // MENROLL_E_DEVICE_AUTHORIZATION_ERROR</td>
<td><p>This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
<td>"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR</td>
<td><p>This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180004</td>
<td>&quot;idErrorMDMCertificateError&quot;, // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR</td>
<td>"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR</td>
<td><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x80180005</td>
<td>&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</td>
<td>"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td>0x80180006</td>
<td>&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</td>
<td>"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td>0x80180007</td>
<td>&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR</td>
<td>"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180008</td>
<td>&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_UNKNOWN_ERROR</td>
<td>"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td>0x80180009</td>
<td>&quot;idErrorAlreadyInProgress&quot;, // MENROLL_E_ENROLLMENT_IN_PROGRESS</td>
<td>"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS</td>
<td><p>Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x8018000A</td>
<td>&quot;idErrorMDMAlreadyEnrolled&quot;, // MENROLL_E_DEVICE_ALREADY_ENROLLED</td>
<td>"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED</td>
<td><p>This device is already enrolled. You can contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x8018000D</td>
<td>&quot;idErrorMDMCertificateError&quot;, // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID</td>
<td>"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID</td>
<td><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x8018000E</td>
<td>&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_PASSWORD_NEEDED</td>
<td>"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x8018000F</td>
<td>&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_WAB_ERROR</td>
<td>"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180010</td>
<td>&quot;idErrorServerConnectivity&quot;, // MENROLL_E_CONNECTIVITY</td>
<td>"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td>0x80180012</td>
<td>&quot;idErrorMDMCertificateError&quot;, // MENROLL_E_INVALIDSSLCERT</td>
<td>"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT</td>
<td><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180013</td>
<td>&quot;idErrorDeviceLimit&quot;, // MENROLL_E_DEVICECAPREACHED</td>
<td>"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED</td>
<td><p>Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x80180014</td>
<td>&quot;idErrorMDMNotSupported&quot;, // MENROLL_E_DEVICENOTSUPPORTED</td>
<td><p>This feature is not supported. Contact your system administrator with the error code {0}.</p></td>
<td>"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED</td>
<td><p>This feature isn't supported. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180015</td>
<td>&quot;idErrorMDMNotSupported&quot;, // MENROLL_E_NOTSUPPORTED</td>
<td><p>This feature is not supported. Contact your system administrator with the error code {0}.</p></td>
<td>"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED</td>
<td><p>This feature isn't supported. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x80180016</td>
<td>&quot;idErrorMDMRenewalRejected&quot;, // MENROLL_E_NOTELIGIBLETORENEW</td>
<td>"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW</td>
<td><p>The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180017</td>
<td>&quot;idErrorMDMAccountMaintenance&quot;, // MENROLL_E_INMAINTENANCE</td>
<td>"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE</td>
<td><p>The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x80180018</td>
<td>&quot;idErrorMDMLicenseError&quot;, // MENROLL_E_USERLICENSE</td>
<td>"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE</td>
<td><p>There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180019</td>
<td>&quot;idErrorInvalidServerConfig&quot;, // MENROLL_E_ENROLLMENTDATAINVALID</td>
<td><p>Looks like the server is not correctly configured. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
<td>"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID</td>
<td><p>Looks like the server isn't correctly configured. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>&quot;rejectedTermsOfUse&quot;</td>
<td>&quot;idErrorRejectedTermsOfUse&quot;</td>
<td>"rejectedTermsOfUse"</td>
<td>"idErrorRejectedTermsOfUse"</td>
<td><p>Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.</p></td>
</tr>
<tr class="even">
<td>0x801c0001</td>
<td>&quot;idErrorServerConnectivity&quot;, // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR</td>
<td>"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td>0x801c0002</td>
<td>&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_DEVICE_AUTHENTICATION_ERROR</td>
<td>"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x801c0003</td>
<td>&quot;idErrorAuthorizationFailure&quot;, // DSREG_E_DEVICE_AUTHORIZATION_ERROR</td>
<td><p>This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
<td>"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR</td>
<td><p>This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x801c0006</td>
<td>&quot;idErrorServerConnectivity&quot;, // DSREG_E_DEVICE_INTERNALSERVICE_ERROR</td>
<td>"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td>0x801c000B</td>
<td>&quot;idErrorUntrustedServer&quot;, // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED</td>
<td>The server being contacted is not trusted. Contact your system administrator with the error code {0}.</td>
<td>"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED</td>
<td>The server being contacted isn't trusted. Contact your system administrator with the error code {0}.</td>
</tr>
<tr class="odd">
<td>0x801c000C</td>
<td>&quot;idErrorServerConnectivity&quot;, // DSREG_E_DISCOVERY_FAILED</td>
<td>"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td>0x801c000E</td>
<td>&quot;idErrorDeviceLimit&quot;, // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED</td>
<td>"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED</td>
<td><p>Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x801c000F</td>
<td>&quot;idErrorDeviceRequiresReboot&quot;, // DSREG_E_DEVICE_REQUIRES_REBOOT</td>
<td>"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT</td>
<td><p>A reboot is required to complete device registration.</p></td>
</tr>
<tr class="even">
<td>0x801c0010</td>
<td>&quot;idErrorInvalidCertificate&quot;, // DSREG_E_DEVICE_AIK_VALIDATION_ERROR</td>
<td>"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR</td>
<td><p>Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x801c0011</td>
<td>&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_DEVICE_ATTESTATION_ERROR</td>
<td>"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x801c0012</td>
<td>&quot;idErrorServerConnectivity&quot;, // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR</td>
<td>"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td>0x801c0013</td>
<td>&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_TENANTID_NOT_FOUND</td>
<td>"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x801c0014</td>
<td>&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_USERSID_NOT_FOUND</td>
<td>"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
</tbody>

51
windows/client-management/mdm/bootstrap-csp.md
View File

@ -1,51 +0,0 @@
---
title: BOOTSTRAP CSP
description: Use the BOOTSTRAP configuration service provider to set the Trusted Provisioning Server (TPS) for the device.
ms.assetid: b8acbddc-347f-4543-a45b-ad2ffae3ffd0
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# BOOTSTRAP CSP
The BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device.
>[!Note]
>BOOTSTRAP CSP is only supported in Windows 10 Mobile.
>
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
The following shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
```console
BOOTSTRAP
----CONTEXT-ALLOW
----PROVURL
```
<a href="" id="context-allow"></a>**CONTEXT-ALLOW**
Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value.
<a href="" id="provurl"></a>**PROVURL**
Required. Specifies the location of a Trusted Provisioning Server (TPS). The PROVURL value must be a complete URL string with a maximum length of 256 characters.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

37
windows/client-management/mdm/certificate-renewal-windows-mdm.md
View File

@ -17,39 +17,31 @@ ms.date: 06/26/2017
# Certificate Renewal
The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account, and the enrollment client gets a new client certificate from the enrollment server and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account. The enrollment client gets a new client certificate from the enrollment server, and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
> [!Note]
> Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
## In this topic
- [Automatic certificate renewal request](#automatic-certificate-renewal-request)
- [Certificate renewal schedule configuration](#certificate-renewal-schedule-configuration)
- [Certificate renewal response](#certificate-renewal-response)
- [Configuration service providers supported during MDM enrollment and certificate renewal](#configuration-service-providers-supported-during-mdm-enrollment-and-certificate-renewal)
<a href="" id="automatic-certificate-renewal"></a>
## Automatic certificate renewal request
In addition to manual certificate renewal, Windows includes support for automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that does not require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to perform client Transport Layer Security (TLS). The user security token is not needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate based client authentication for automatic certificate renewal.
Windows supports automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that doesn't require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to do client Transport Layer Security (TLS). The user security token isn't needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate-based client authentication for automatic certificate renewal.
> [!Note]
> Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that is enrolled using WAB authentication (meaning that the AuthPolicy is set to Federated). It also means if the server supports WAB authentication, the MDM certificate enrollment server MUST also support client TLS in order to renew the MDM client certificate.
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
For the device that is enrolled with the OnPremise authentication method, for backward compatibility, the default renewal method is user manual certificate renewal. However, for Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal via CertificateStore CSPs ROBOSupport node under CertificateStore/My/WSTEP/Renew URL. For more information about Renew related configuration settings, refer to the CertificateStore configuration service provider.
For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSPs](certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL.
Unlike manual certificate renewal where there is an additional b64 encoding for PKCS\#7 message content, with automatic renewal, the PKCS\#7 message content isnt b64 encoded separately.
With automatic renewal, the PKCS\#7 message content isnt b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content.
During the automatic certificate renewal process, if the root certificate isnt trusted by the device, the authentication will fail. Make sure using one of device pre-installed root certificates or provision the root cert over a DM session via CertificateStore Configuration Service Provider.
During the automatic certificate renewal process, if the root certificate isnt trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](certificatestore-csp.md).
During the automatic certificate renew process, the device will deny HTTP redirect request from the server unless it is the same redirect URL that the user explicitly accepted during the initial MDM enrollment process.
During the automatic certificate renew process, the device will deny HTTP redirect request from the server. It won't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used.
The following example shows the details of an automatic renewal request.
``` xml
```xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
@ -101,18 +93,16 @@ The following example shows the details of an automatic renewal request.
</s:Envelope>
```
<a href="" id="certificate-renewal-schedule"></a>
## Certificate renewal schedule configuration
In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry to be configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSPs RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, instead of only reminding the user once, the Windows device will remind the user with a prompt dialog at every renewal retry time until the certificate is expired.
In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSPs RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired.
For more information about the parameters, see the CertificateStore configuration service provider.
Unlike manual certificate renewal, the device will not perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure that the device has enough time to perform an automatic renewal, we recommend that you set a renewal period a couple months (40-60 days) before the certificate expires and set the renewal retry interval to be every few days such as every 4-5 days instead every 7 days (weekly) to increase the chance that the device will a connectivity at different days of the week.
Unlike manual certificate renewal, the device will not do an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead every 7 days (weekly). This change increases the chance that the device will try to connect at different days of the week.
> [!Note]
> For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
> For Windows Phone 8.1 devices upgraded to Windows 10 Mobile, renewal will happen at the configured ROBO internal. This is expected and by design.
## Certificate renewal response
@ -129,9 +119,9 @@ After validation is completed, the web service retrieves the PKCS\#10 content fr
> [!Note]
> The HTTP server response must not be chunked; it must be sent as one message.
The following example shows the details of an certificate renewal response.
The following example shows the details of a certificate renewal response.
``` xml
```xml
<wap-provisioningdoc version="1.1">
<characteristic type="CertificateStore">
<!-- Root certificate provision is only needed here if it is not in the device already --> <characteristic type="Root">
@ -157,9 +147,8 @@ The following example shows the details of an certificate renewal response.
```
> [!Note]
The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
> The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
<a href="" id="csp-support-during-enrollment-and-renewal"></a>
## Configuration service providers supported during MDM enrollment and certificate renewal
The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider.

60
windows/client-management/mdm/devdetail-csp.md
View File

@ -1,6 +1,6 @@
---
title: DevDetail CSP
description: Learn how the DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server.
description: Learn how the DevDetail configuration service provider handles the management object. This CSP provides device-specific parameters to the OMA DM server.
ms.assetid: 719bbd2d-508d-439b-b175-0874c7e6c360
ms.reviewer:
manager: dansimp
@ -14,15 +14,16 @@ ms.date: 03/27/2020
# DevDetail CSP
The DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server. These device parameters are not sent from the client to the server automatically, but can be queried by servers using OMA DM commands.
The DevDetail configuration service provider handles the management object that provides device-specific parameters to the OMA DM server. These device parameters can be queried by servers using OMA DM commands. They aren't sent from the client to the server automatically.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
For the DevDetail CSP, you cannot use the Replace command unless the node already exists.
For the DevDetail CSP, you can't use the Replace command unless the node already exists.
The following shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol is not supported for this configuration service provider.
```
The following information shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol isn't supported for this configuration service provider.
```console
.
DevDetail
----URI
@ -97,24 +98,24 @@ Required. Returns the maximum depth of the management tree that the device suppo
Supported operation is Get.
This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
This value is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
<a href="" id="uri-maxtotlen"></a>**URI/MaxTotLen**
Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0).
Supported operation is Get.
This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
This value is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
<a href="" id="uri-maxseglen"></a>**URI/MaxSegLen**
Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0).
Supported operation is Get.
This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
This value is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
<a href="" id="ext-microsoft-mobileid"></a>**Ext/Microsoft/MobileID**
Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support.
Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that don't have a cellular network support.
Supported operation is Get.
@ -131,7 +132,7 @@ Required. Returns the UI screen resolution of the device (example: &quot;480x800
Supported operation is Get.
<a href="" id="ext-microsoft-commercializationoperator"></a>**Ext/Microsoft/CommercializationOperator**
Required. Returns the name of the mobile operator if it exists; otherwise it returns 404..
Required. Returns the name of the mobile operator if it exists. Otherwise, it returns 404.
Supported operation is Get.
@ -158,7 +159,7 @@ Supported operation is Get.
<a href="" id="ext-microsoft-devicename"></a>**Ext/Microsoft/DeviceName**
Required. Contains the user-specified device name.
Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
Replace operation isn't supported in Windows client or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name doesn't take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
Value type is string.
@ -171,23 +172,15 @@ The following are the available naming macros:
| Macro | Description | Example | Generated Name |
| -------| -------| -------| -------|
| %RAND:<# of digits> | Generates the specified number of random digits. | Test%RAND:6% | Test123456|
| %SERIAL% | Generates the serial number derived from the device. If the serial number causes the new name to exceed the 63 character limit, the serial number will be truncated from the beginning of the sequence.| Test-Device-%SERIAL% | Test-Device-456|
| %RAND:<# of digits> | Generates the specified number of random digits. | `Test%RAND:6%` | Test123456|
| %SERIAL% | Generates the serial number derived from the device. If the serial number causes the new name to exceed the 63 character limit, the serial number will be truncated from the beginning of the sequence.| `Test-Device-%SERIAL%` | Test-Device-456|
Value type is string. Supported operations are Get and Replace.
> [!NOTE]
> We recommend using `%SERIAL%` or `%RAND:x%` with a high character limit to reduce the chance of name collision when generating a random name. This feature doesn't check if a particular name is already present in the environment.
On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the computer's serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
<a href="" id="ext-microsoft-totalstorage"></a>**Ext/Microsoft/TotalStorage**
Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).
Supported operation is Get.
> [!NOTE]
> This is only supported in Windows 10 Mobile.
On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the computer's serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit doesn't count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
<a href="" id="ext-microsoft-totalram"></a>**Ext/Microsoft/TotalRAM**
Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory).
@ -205,30 +198,30 @@ The MAC address of the active WLAN connection, as a 12-digit hexadecimal number.
Supported operation is Get.
> [!NOTE]
> This is not supported in Windows 10 for desktop editions.
> This isn't supported in Windows 10 for desktop editions.
<a href="" id="volteservicesetting"></a>**Ext/VoLTEServiceSetting**
Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
Returns the VoLTE service to on or off. This setting is only exposed to mobile operator OMA-DM servers.
Supported operation is Get.
<a href="" id="wlanipv4address"></a>**Ext/WlanIPv4Address**
Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
Returns the IPv4 address of the active Wi-Fi connection. This address is only exposed to enterprise OMA DM servers.
Supported operation is Get.
<a href="" id="wlanipv6address"></a>**Ext/WlanIPv6Address**
Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
Returns the IPv6 address of the active Wi-Fi connection. This address is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
<a href="" id="wlandnssuffix"></a>**Ext/WlanDnsSuffix**
Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
Returns the DNS suffix of the active Wi-Fi connection. This suffix is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
<a href="" id="wlansubnetmask"></a>**Ext/WlanSubnetMask**
Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
Returns the subnet mask for the active Wi-Fi connection. This subnet mask is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
@ -236,17 +229,10 @@ Supported operation is Get.
Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
> [!NOTE]
> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information.
> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you can't parse the content to get any meaningful hardware information.
Supported operation is Get.
## Related topics
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

351
windows/client-management/mdm/device-update-management.md
View File

@ -19,24 +19,24 @@ ms.date: 11/15/2017
>[!TIP]
>If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq).
In the current device landscape of PC, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we are investing heavily in extending the management capabilities available to MDMs. One key feature we are adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates.
With PCs, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we're investing heavily in extending the management capabilities available to MDMs. One key feature we're adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates.
In particular, Windows 10 provides APIs to enable MDMs to:
- Ensure machines stay up to date by configuring Automatic Update policies.
- Test updates on a smaller set of machines before enterprise-wide rollout by configuring which updates are approved for a given device.
- Get compliance status of managed devices so IT can easily understand which machines still need a particular security patch, or how up to date is a particular machine.
- Test updates on a smaller set of machines by configuring which updates are approved for a given device. Then, do an enterprise-wide rollout.
- Get compliance status of managed devices. IT can understand which machines still need a security patch, or how current is a particular machine.
This topic provides MDM independent software vendors (ISV) with the information they need to implement update management in Windows 10.
This article provides independent software vendors (ISV) with the information they need to implement update management in Windows 10.
In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to:
- Configure automatic update policies to ensure devices stay up-to-date.
- Configure automatic update policies to ensure devices stay up to date.
- Get device compliance information (the list of updates that are needed but not yet installed).
- Specify a per-device update approval list, to ensure devices dont install unapproved updates that have not been tested.
- Approve EULAs on behalf of the end user so update deployment can be automated even for updates with EULAs.
- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs.
The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the updates title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the updates title, description, KB, update type, like a security update or service pack. For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
For more information about the CSPs, see [Update CSP](update-csp.md) and the update policy area of the [Policy CSP](policy-configuration-service-provider.md).
@ -48,29 +48,29 @@ The diagram can be roughly divided into three areas:
- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram).
- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram).
- The device gets updates from Microsoft Update using client/server protocol, but only downloads and installs updates that are both applicable to the device and approved by IT (right portion of the diagram).
- The device gets updates from Microsoft Update using client/server protocol. It only downloads and installs updates that apply to the device and are approved by IT (right portion of the diagram).
## <a href="" id="gettingupdatemetadata"></a>Getting update metadata using the Server-Server sync protocol
The Microsoft Update Catalog is huge and contains many updates that are not needed by MDM-managed devices, including updates for legacy software (for example, updates to servers, down-level desktop operating systems, and legacy apps), and a large number of drivers. We recommend that the MDM use the Server-Server sync protocol to get update metadata for updates reported from the client.
The Microsoft Update Catalog contains many updates that aren't needed by MDM-managed devices. It includes updates for legacy software, like updates to servers, down-level desktop operating systems, & legacy apps, and a large number of drivers. We recommend MDMs use the Server-Server sync protocol to get update metadata for updates reported from the client.
This section describes how this is done. The following diagram shows the server-server sync protocol process.
This section describes this setup. The following diagram shows the server-server sync protocol process.
![mdm server-server sync.](images/deviceupdateprocess2.png)
:::image type="content" alt-text="mdm server-server sync." source="images/deviceupdateprocess2.png" lightbox="images/deviceupdateprocess2.png":::
MSDN provides much information about the Server-Server sync protocol. In particular:
- It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although its even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx.
- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although its even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`.
Some important highlights:
- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how this is done. Even though this is called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision Numbers is `<LocURI>./Vendor/MSFT/Update/InstallableUpdates?list=StructData</LocURI>`. Because not all updates are available via S2S sync, make sure you handle SOAP errors.
- For mobile devices, you can either sync metadata for a particular update by calling GetUpdateData, or for a local on-premises solution, you can use WSUS and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how authorization is done. Even though it's called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision numbers is `<LocURI>./Vendor/MSFT/Update/InstallableUpdates?list=StructData</LocURI>`. Because not all updates are available via S2S sync, make sure you handle SOAP errors.
- For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
> [!NOTE]
> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, etc). Each time such a change is made that doesnt affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, and so on). Each time such a change is made that doesnt affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
## <a href="" id="examplesofupdatestructure"></a>Examples of update metadata XML structure and element descriptions
@ -82,16 +82,16 @@ The response of the GetUpdateData call returns an array of ServerSyncUpdateData
- **CreationDate** the date on which this update was created.
- **UpdateType** The type of update, which could include the following:
- **Detectoid** if this update identity represents a compatibility logic
- **Category** This could represent either of the following:
- A Product category the update belongs to. For example, Windows, MS office etc.
- The classification the update belongs to. For example, Drivers, security etc.
- **Category** This element could represent either of the following:
- A Product category the update belongs to. For example, Windows, MS office, and so on.
- The classification the update belongs to. For example, drivers, security, and so on.
- **Software** If the update is a software update.
- **Driver** if the update is a driver update.
- **LocalizedProperties** represents the language the update is available in, title and description of the update. It has the following fields:
- **Language** The language code identifier (LCID). For example, en or es.
- **Title** Title of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)”
- **Description** Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you have installed this item, it cannot be removed.”
- **KBArticleID** The KB article number for this update that has details regarding the particular update. For example, <https://support.microsoft.com/kb/2902892>.
- **Description** Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed.”
- **KBArticleID** The KB article number for this update that has details about the particular update. For example, `https://support.microsoft.com/kb/2902892`.
## <a href="" id="recommendedflow"></a>Recommended Flow for Using the Server-Server Sync Protocol
@ -99,46 +99,46 @@ This section describes a possible algorithm for using the server-server sync pro
First some background:
- If you have a multi-tenant MDM, the update metadata can be kept in a shared partition, since it is common to all tenants.
- A metadata sync service can then be implemented that periodically calls server-server sync to pull in metadata for the updates IT cares about.
- The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client if those updates are not already known to the device.
- If you have a multi-tenant MDM, the update metadata can be kept in a shared partition, since it's common to all tenants.
- A metadata sync service can then be implemented. The service periodically calls server-server sync to pull in metadata for the updates IT cares about.
- The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client, if those updates aren't already known to the device.
The following procedure describes a basic algorithm for a metadata sync service:
- Initialization, composed of the following:
1. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since those are temporary in nature (for example, Defender releases about four new definition updates per day, each of which is cumulative).
- Initialization uses the following steps:
a. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative.
- Sync periodically (we recommend once every 2 hours - no more than once/hour).
1. Implement the authorization phase of the protocol to get a cookie if you dont already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a).
2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and:
- Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata has not already been pulled into the DB.
- Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB.
- If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one.
- Remove updates from the "needed update IDs to fault in" list once they have been brought in.
- Remove updates from the "needed update IDs to fault in" list once they've been brought in.
This provides an efficient way to pull in the information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time you can pull information so IT can see what updates they are approving, or for compliance reports to see what updates are needed but not yet installed.
These steps get information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time, you can get information so IT can see what updates they're approving. Or, for compliance reports to see what updates are needed but not yet installed.
## <a href="" id="managingupdates"></a>Managing updates using OMA DM
An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented the [Mobile device management](mobile-device-enrollment.md) topic. This section focuses on how to extend that integration to support update management. The key aspects of update management include the following:
An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented in [Mobile device management](mobile-device-enrollment.md). This section focuses on how to extend that integration to support update management. The key aspects of update management include the following information:
- Configure automatic update policies to ensure devices stay up-to-date.
- Configure automatic update policies to ensure devices stay up to date.
- Get device compliance information (the list of updates that are needed but not yet installed)
- Specify a per-device update approval list to ensure devices dont install unapproved updates that have not been tested.
- Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs
- Specify a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
- Approve EULAs for the end user so update deployment can be automated, even for updates with EULAs
The following list describes a suggested model for applying updates.
1. Have a "Test Group" and an "All Group".
2. In the Test group, just let all updates flow.
3. In the All Group, set up Quality Update deferral for 7 days and then Quality Updates will be auto approved after the 7 days. Note that Definition Updates are excluded from Quality Update deferrals and will be auto approved when they are available. This can be done by setting Update/DeferQualityUpdatesPeriodInDays to 7 and just letting updates flow after seven days or pushing Pause in case of issues.
3. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues.
Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md). Please refer to these topics for details on configuring updates.
Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md).
### Update policies
The enterprise IT can configure auto-update polices via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality is not supported in Windows 10 Mobile and Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
The following shows the Update policies in a tree format.
The following information shows the Update policies in a tree format.
```console
./Vendor/MSFT
@ -184,71 +184,71 @@ Policy
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1607. Allows the IT admin (when used with <strong>Update/ActiveHoursStart</strong>) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
Added in Windows 10, version 1607. When used with **Update/ActiveHoursStart**, it allows the IT admin to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time.
> [!NOTE]
> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
<p>Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on.
<p>The default is 17 (5 PM).
The default is 17 (5 PM).
<a href="" id="update-activehoursmaxrange"></a>**Update/ActiveHoursMaxRange**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
<p>Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
<p>Supported values are 8-18.
Supported values are 8-18.
<p>The default value is 18 (hours).
The default value is 18 (hours).
<a href="" id="update-activehoursstart"></a>**Update/ActiveHoursStart**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
<p>Added in Windows 10, version 1607. Allows the IT admin (when used with <strong>Update/ActiveHoursEnd</strong>) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
Added in Windows 10, version 1607. When used with **Update/ActiveHoursEnd**, it allows the IT admin to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time.
> [!NOTE]
> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
<p>Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on.
<p>The default value is 8 (8 AM).
The default value is 8 (8 AM).
<a href="" id="update-allowautoupdate"></a>**Update/AllowAutoUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
<p>Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 1 Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
- 2 (default) Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.
- 0 Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 1 Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart.
- 2 (default) Auto install and restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default behavior for unmanaged devices. Devices are updated quickly. But, it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart.
- 3 Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
- 4 Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
- 4 Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
- 5 Turn off automatic updates.
> [!IMPORTANT]
> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
<p>If the policy is not configured, end-users get the default behavior (Auto install and restart).
If the policy isn't configured, end users get the default behavior (Auto install and restart).
<a href="" id="update-allowmuupdateservice"></a>**Update/AllowMUUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 Not allowed or not configured.
- 1 Allowed. Accepts updates received through Microsoft Update.
@ -258,31 +258,31 @@ Policy
> This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education.
<p>Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third party software and patch distribution.
Allows the IT admin to manage if Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution.
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
- 1 Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
- 1 Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate in the "Trusted Publishers" certificate store of the local computer.
<p>This policy is specific to desktop and local publishing via WSUS for third party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
This policy is specific to desktop and local publishing using WSUS for third-party updates (binaries and updates not hosted on Microsoft Update). It allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
<a href="" id="update-allowupdateservice"></a>**Update/AllowUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft.
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft.
<p>Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update.
<p>Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working.
Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 Update service is not allowed.
- 0 Update service isn't allowed.
- 1 (default) Update service is allowed.
> [!NOTE]
@ -294,20 +294,20 @@ Policy
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
<p>Supported values are 15, 30, 60, 120, and 240 (minutes).
Supported values are 15, 30, 60, 120, and 240 (minutes).
<p>The default value is 15 (minutes).
The default value is 15 (minutes).
<a href="" id="update-autorestartrequirednotificationdismissal"></a>**Update/AutoRestartRequiredNotificationDismissal**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.
Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.
<p>The following list shows the supported values:
The following list shows the supported values:
- 1 (default) Auto Dismissal.
- 2 User Dismissal.
@ -317,9 +317,9 @@ Policy
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
<p>The following list shows the supported values:
The following list shows the supported values:
- 16 (default) User gets all applicable upgrades from Current Branch (CB).
- 32 User gets upgrades from Current Branch for Business (CBB).
@ -328,18 +328,18 @@ Policy
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
<p>Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
<p>Supported values are 0-180.
Supported values are 0-180.
<a href="" id="update-deferqualityupdatesperiodindays"></a>**Update/DeferQualityUpdatesPeriodInDays**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
<p>Supported values are 0-30.
Supported values are 0-30.
<a href="" id="update-deferupdateperiod"></a>**Update/DeferUpdatePeriod**
> [!NOTE]
@ -348,13 +348,13 @@ Policy
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
<p>Allows IT Admins to specify update delays for up to four weeks.
Allows IT Admins to specify update delays for up to four weeks.
<p>Supported values are 0-4, which refers to the number of weeks to defer updates.
Supported values are 0-4, which refers to the number of weeks to defer updates.
<p>If the &quot;Specify intranet Microsoft update service location&quot; policy is enabled, then the &quot;Defer upgrades by&quot;, &quot;Defer updates by&quot; and &quot;Pause Updates and Upgrades&quot; settings have no effect.
If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by**; and **Pause Updates and Upgrades** settings have no effect.
<p>If the Allow Telemetry policy is enabled and the Options value is set to 0, then the &quot;Defer upgrades by&quot;, &quot;Defer updates by&quot; and &quot;Pause Updates and Upgrades&quot; settings have no effect.
If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
<table>
<colgroup>
@ -412,76 +412,73 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
>
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
<p>Allows IT Admins to specify additional upgrade delays for up to eight months.
Allows IT Admins to enter more upgrade delays for up to eight months.
<p>Supported values are 0-8, which refers to the number of months to defer upgrades.
Supported values are 0-8, which refers to the number of months to defer upgrades.
<p>If the &quot;Specify intranet Microsoft update service location&quot; policy is enabled, then the &quot;Defer upgrades by&quot;, &quot;Defer updates by&quot; and &quot;Pause Updates and Upgrades&quot; settings have no effect.
If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
<p>If the &quot;Allow Telemetry&quot; policy is enabled and the Options value is set to 0, then the &quot;Defer upgrades by&quot;, &quot;Defer updates by&quot; and &quot;Pause Updates and Upgrades&quot; settings have no effect.
If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
<a href="" id="update-engagedrestartdeadline"></a>**Update/EngagedRestartDeadline**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, then the restart won't be automatically executed. It will remain Engaged restart (pending user scheduling).
<p>Supported values are 2-30 days.
Supported values are 2-30 days.
<p>The default value is 0 days (not specified).
The default value is 0 days (not specified).
<a href="" id="update-engagedrestartsnoozeschedule"></a>**Update/EngagedRestartSnoozeSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
<p>Supported values are 1-3 days.
Supported values are 1-3 days.
<p>The default value is three days.
The default value is three days.
<a href="" id="update-engagedrestarttransitionschedule"></a>**Update/EngagedRestartTransitionSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
<p>Supported values are 2-30 days.
Supported values are 2-30 days.
<p>The default value is seven days.
The default value is seven days.
<a href="" id="update-excludewudriversinqualityupdate"></a>**Update/ExcludeWUDriversInQualityUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
<p>Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Allow Windows Update drivers.
- 1 Exclude Windows Update drivers.
<a href="" id="update-ignoremoappdownloadlimit"></a>**Update/IgnoreMOAppDownloadLimit**
<p>Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Do not ignore MO download limit for apps and their updates.
- 0 (default) Don't ignore MO download limit for apps and their updates.
- 1 Ignore MO download limit (allow unlimited downloading) for apps and their updates.
<p>To validate this policy:
To validate this policy:
1. Enable the policy ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
@ -493,20 +490,20 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<a href="" id="update-ignoremoupdatedownloadlimit"></a>**Update/IgnoreMOUpdateDownloadLimit**
<p>Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Do not ignore MO download limit for OS updates.
- 0 (default) Don't ignore MO download limit for OS updates.
- 1 Ignore MO download limit (allow unlimited downloading) for OS updates.
<p>To validate this policy:
To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
2. Run the scheduled task on the devices to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused.
@ -519,26 +516,26 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
<p>Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Deferrals are not paused.
- 0 (default) Deferrals aren't paused.
- 1 Deferrals are paused.
<p>If the &quot;Specify intranet Microsoft update service location&quot; policy is enabled, then the &quot;Defer upgrades by&quot;, &quot;Defer updates by&quot; and &quot;Pause Updates and Upgrades&quot; settings have no effect.
If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
<p>If the &quot;Allow Telemetry&quot; policy is enabled and the Options value is set to 0, then the &quot;Defer upgrades by&quot;, &quot;Defer updates by&quot; and &quot;Pause Updates and Upgrades&quot; settings have no effect.
If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
<a href="" id="update-pausefeatureupdates"></a>**Update/PauseFeatureUpdates**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
<p>Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Feature Updates are not paused.
- 0 (default) Feature Updates aren't paused.
- 1 Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
<a href="" id="update-pausequalityupdates"></a>**Update/PauseQualityUpdates**
@ -546,11 +543,11 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Quality Updates are not paused.
- 0 (default) Quality Updates aren't paused.
- 1 Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
<a href="" id="update-requiredeferupgrade"></a>**Update/RequireDeferUpgrade**
@ -560,9 +557,9 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
<p>Allows the IT admin to set a device to CBB train.
Allows the IT admin to set a device to CBB train.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) User gets upgrades from Current Branch.
- 1 User gets upgrades from Current Branch for Business.
@ -578,38 +575,38 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
<p>Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
Allows the IT admin to restrict the updates that are installed on a device to only the updates on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update for the end user. EULAs are approved once an update is approved.
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 Not configured. The device installs all applicable updates.
- 1 The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
- 1 The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required before deployment.
<a href="" id="update-scheduleimminentrestartwarning"></a>**Update/ScheduleImminentRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
<p>Supported values are 15, 30, or 60 (minutes).
Supported values are 15, 30, or 60 (minutes).
<p>The default value is 15 (minutes).
The default value is 15 (minutes).
<a href="" id="update-scheduledinstallday"></a>**Update/ScheduledInstallDay**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Enables the IT admin to schedule the day of the update installation.
Enables the IT admin to schedule the day of the update installation.
<p>The data type is a string.
The data type is a string.
<p>Supported operations are Add, Delete, Get, and Replace.
Supported operations are Add, Delete, Get, and Replace.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Every day
- 1 Sunday
@ -625,35 +622,35 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Enables the IT admin to schedule the time of the update installation.
Enables the IT admin to schedule the time of the update installation.
<p>The data type is a string.
The data type is a string.
<p>Supported operations are Add, Delete, Get, and Replace.
Supported operations are Add, Delete, Get, and Replace.
<p>Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
<p>The default value is 3.
The default value is 3.
<a href="" id="update-schedulerestartwarning"></a>**Update/ScheduleRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
<p>Supported values are 2, 4, 8, 12, or 24 (hours).
Supported values are 2, 4, 8, 12, or 24 (hours).
<p>The default value is 4 (hours).
The default value is 4 (hours).
<a href="" id="update-setautorestartnotificationdisable"></a>**Update/SetAutoRestartNotificationDisable**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p>Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
<p>The following list shows the supported values:
The following list shows the supported values:
- 0 (default) Enabled
- 1 Disabled
@ -663,13 +660,13 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
> [!Important]
> Starting in Windows 10, version 1703 this policy is not supported in IoT Enterprise.
> Starting in Windows 10, version 1703 this policy isn't supported in IoT Enterprise.
<p>Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
Allows the device to check for updates from a WSUS server instead of Microsoft Update. Using WSUS is useful for on-premises MDMs that need to update devices that can't connect to the Internet.
<p>Supported operations are Get and Replace.
Supported operations are Get and Replace.
<p>The following list shows the supported values:
The following list shows the supported values:
- Not configured. The device checks for updates from Microsoft Update.
- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
@ -677,7 +674,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
Example
```xml
<Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
@ -689,29 +686,30 @@ Example
</Target>
<Data>http://abcd-srv:8530</Data>
</Item>
</Replace>
</Replace>
```
<a href="" id="update-updateserviceurlalternate"></a>**Update/UpdateServiceUrlAlternate**
> **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
<p>Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
<p>This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
<p>To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
<p>Value type is string and the default value is an empty string, &quot;&quot;. If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
Value type is string and the default value is an empty string. If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, then the Automatic Updates client connects directly to the Windows Update site on the Internet.
> [!Note]
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.
> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
> If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates.
> This policy isn't supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
### Update management
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following shows the Update CSP in tree format.
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following information shows the Update CSP in tree format.
```console
./Vendor/MSFT
@ -750,15 +748,17 @@ The root node.
Supported operation is Get.
<a href="" id="approvedupdates"></a>**ApprovedUpdates**
Node for update approvals and EULA acceptance on behalf of the end-user.
Node for update approvals and EULA acceptance for the end user.
> **Note** When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
> [!NOTE]
> When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to present the EULA is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update.
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (updates to the virus and spyware definitions on devices) and Security Updates (product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstall of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs because of changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
> **Note**  For the Windows 10 build, the client may need to reboot after additional updates are added.
> [!NOTE]
> For the Windows 10 build, the client may need to reboot after additional updates are added.
@ -788,7 +788,7 @@ Specifies the approved updates that failed to install on a device.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid"></a>**FailedUpdates/**<strong>*Failed Update Guid*</strong>
Update identifier field of the UpdateIdentity GUID that represent an update that failed to download or install.
Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install.
Supported operation is Get.
@ -813,7 +813,7 @@ UpdateIDs that represent the updates installed on a device.
Supported operation is Get.
<a href="" id="installableupdates"></a>**InstallableUpdates**
The updates that are applicable and not yet installed on the device. This includes updates that are not yet approved.
The updates that are applicable and not yet installed on the device. This information includes updates that aren't yet approved.
Supported operation is Get.
@ -864,7 +864,7 @@ Supported operation is Get.
## <a href="" id="windows10version1607forupdatemanagement"></a> Windows 10, version 1607 for update management
Here are the new policies added in Windows 10, version 1607 in [Policy CSP](policy-configuration-service-provider.md). You should use these policies for the new Windows 10, version 1607 devices.
Here are the new policies added in Windows 10, version 1607 in [Policy CSP](policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices.
- Update/ActiveHoursEnd
- Update/ActiveHoursStart
@ -944,7 +944,7 @@ Here's the list of corresponding Group Policy settings in HKLM\\Software\\Polici
Here is the list of older policies that are still supported for backward compatibility. You can use these for Windows 10, version 1511 devices.
Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices.
- Update/RequireDeferUpgrade
- Update/DeferUpgradePeriod
@ -1011,5 +1011,16 @@ Set auto update to notify and defer.
The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog.
![mdm device update management screenshot3.](images/deviceupdatescreenshot3.png)![mdm device update management screenshot4](images/deviceupdatescreenshot4.png)![mdm device update management screenshot5](images/deviceupdatescreenshot5.png)![mdm device update management screenshot6](images/deviceupdatescreenshot6.png)![mdm device update management screenshot7](images/deviceupdatescreenshot7.png)![mdm device update management screenshot8](images/deviceupdatescreenshot8.png)![mdm device update management screenshot9](images/deviceupdatescreenshot9.png)
![mdm device update management screenshot3.](images/deviceupdatescreenshot3.png)
![mdm device update management screenshot4](images/deviceupdatescreenshot4.png)
![mdm device update management screenshot5](images/deviceupdatescreenshot5.png)
![mdm device update management screenshot6](images/deviceupdatescreenshot6.png)
![mdm device update management screenshot7](images/deviceupdatescreenshot7.png)
![mdm device update management screenshot8](images/deviceupdatescreenshot8.png)
![mdm device update management screenshot9](images/deviceupdatescreenshot9.png)

42
windows/client-management/mdm/devicelock-csp.md
View File

@ -17,7 +17,8 @@ ms.date: 06/26/2017
The DeviceLock configuration service provider is used by the enterprise management server to configure device lock related policies. This configuration service provider is supported by an enterprise management server.
> **Note**   The DeviceLock CSP is supported in Windows 10 Mobile for backward compatibility. For Windows 10 devices you should use [Policy CSP](policy-configuration-service-provider.md) for various device lock settings. You can continue to use DeviceLock CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices. The DeviceLock CSP will be deprecated some time in the future.
> [!Note]
> For Windows 10 devices, use [Policy CSP](policy-configuration-service-provider.md) for various device lock settings. You can continue to use DeviceLock CSP for Windows Phone 8.1 GDR devices. The DeviceLock CSP will be deprecated some time in the future.
 
@ -30,7 +31,7 @@ The DevicePasswordEnabled setting must be set to 0 (device password is enabled)
- MaxInactivityTimeDeviceLock
- MinDevicePasswordComplexCharacters
The following shows the DeviceLock configuration service provider in tree format.
The following information shows the DeviceLock configuration service provider in tree format.
```console
./Vendor/MSFT
@ -62,18 +63,19 @@ DeviceLock
Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get.
<a href="" id="---------------providerid"></a> ***ProviderID***
Optional. The node that contains the configured management server's ProviderID. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one *ProviderID* node. Exchange ActiveSync policies set by Exchange are saved by the Sync client separately. Scope is dynamic. The following operations are supported:
Optional. The node that contains the configured management server's ProviderID. Exchange ActiveSync policies set by Exchange are saved by the Sync client separately. Scope is dynamic. The following operations are supported:
- **Add** - Add the management account to the configuration service provider tree.
- **Delete** - Delete all policies set by this account. This command could be used in enterprise unenrollment for removing policy values set by the enterprise management server.
- **Get** - Return all policies set by the management server.
> **Note**   The value cannot be changed after it is added. The **Replace** command isn't supported.
> [!NOTE]
> The value cannot be changed after it's added. The **Replace** command isn't supported.
 
<a href="" id="providerid-devicepasswordenabled"></a>***ProviderID*/DevicePasswordEnabled**
Optional. An integer value that specifies whether device lock is enabled. Possible values are one of the following:
Optional. An integer value that specifies whether device lock is enabled. Possible values include:
- 0 - Device lock is enabled.
- 1 (default) - Device lock not enabled.
@ -83,7 +85,7 @@ The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-allowsimpledevicepassword"></a>***ProviderID*/AllowSimpleDevicePassword**
Optional. An integer value that specifies whether simple passwords, such as "1111" or "1234", are allowed. Possible values for this node are one of the following:
Optional. An integer value that specifies whether simple passwords, such as "1111" or "1234", are allowed. Possible values include:
- 0 - Not allowed.
- 1 (default) - Allowed.
@ -100,7 +102,7 @@ Supported operations are Get, Add, and Replace.
<a href="" id="providerid-alphanumericdevicepasswordrequired"></a>***ProviderID*/AlphanumericDevicePasswordRequired**
Optional. An integer value that specifies the complexity of the password or PIN allowed.
Valid values are one of the following:
Possible values include:
- 0 - Alphanumeric password required
- 1 - Users can choose a numeric or alphanumeric password
@ -117,28 +119,28 @@ Deprecated in Windows 10.
Deprecated in Windows 10.
<a href="" id="providerid-maxdevicepasswordfailedattempts"></a>***ProviderID*/MaxDevicePasswordFailedAttempts**
Optional. An integer value that specifies the number of authentication failures allowed before the device will be wiped. Valid values are 0 to 999. The default value is 0, which indicates the device will not be wiped regardless of the number of authentication failures.
Optional. An integer value that specifies the number of authentication failures allowed before the device will be wiped. Valid values are 0 to 999. The default value is 0, which indicates the device won't be wiped, whatever the number of authentication failures.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-maxinactivitytimedevicelock"></a>***ProviderID*/MaxInactivityTimeDeviceLock**
Optional. An integer value that specifies the amount of time (in minutes) that the device can remain idle before it is password locked. Valid values are 0 to 999. A value of 0 indicates no time-out is specified. In this case, the maximum screen time-out allowed by the UI applies.
Optional. An integer value that specifies the amount of time (in minutes) that the device can remain idle before it's password locked. Valid values are 0 to 999. A value of 0 indicates no time-out is specified. In this case, the maximum screen time-out allowed by the UI applies.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-mindevicepasswordcomplexcharacters"></a>***ProviderID*/MinDevicePasswordComplexCharacters**
Optional. An integer value that specifies the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password. Valid values are 1 to 4 for mobile and 1 to 3 for desktop. The default value is 1.
Optional. An integer value that specifies the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password. Valid values are 1 to 3 for Windows client. The default value is 1.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="devicevalue"></a>**DeviceValue**
Required. A permanent node that groups the policy values applied to the device. The server can query this node to discover what policy values are actually applied to the device. The scope is permanent.
Required. A permanent node that groups the policy values applied to the device. The server can query this node to discover what policy values are applied to the device. The scope is permanent.
Supported operation is Get.
@ -288,31 +290,21 @@ All node values under the **ProviderID** interior node represent the policy valu
- An **Add** or **Replace** command on those nodes returns success in the following cases:
- The value is actually applied to the device.
- The value is applied to the device.
- The value isn't applied to the device because the device has a more secure value set already.
From a security perspective, the device complies with the policy request that is at least as secure as the one requested.
From a security perspective, the device complies with the policy request that's at least as secure as the one requested.
- A **Get** command on those nodes returns the value the server pushes down to the device.
- If a **Replace** command fails, the node value is set back to the value that was to be replaced.
- If an **Add** command fails, the node is not created.
- If an **Add** command fails, the node isn't created.
The value applied to the device can be queried via the nodes under the **DeviceValue** interior node.
## Related topics
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

181
windows/client-management/mdm/dmclient-csp.md
View File

@ -15,10 +15,11 @@ ms.date: 11/01/2017
# DMClient CSP
The DMClient configuration service provider (CSP) is used to specify additional enterprise-specific mobile device management (MDM) configuration settings for identifying the device in the enterprise domain, for security mitigation for certificate renewal, and for server-triggered enterprise unenrollment.
The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment.
The following shows the DMClient CSP in tree format.
```
The following information shows the DMClient CSP in tree format.
```console
./Vendor/MSFT
DMClient
----Provider
@ -72,7 +73,7 @@ All the nodes in this CSP are supported in the device context, except for the **
Root node for the CSP.
<a href="" id="updatemanagementserviceaddress"></a>**UpdateManagementServiceAddress**
For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You can't add new servers to the list using this node.
<a href="" id="hwdevid"></a>**HWDevID**
Added in Windows 10, version 1703. Returns the hardware device ID.
@ -85,28 +86,31 @@ Required. The root node for all settings that belong to a single management serv
Supported operation is Get.
<a href="" id="provider-providerid"></a>**Provider/**<strong>*ProviderID*</strong>
Required. This node contains the URI-encoded value of the bootstrapped device management accounts Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesnt require XML/URI escaping.
Required. This node contains the URI-encoded value of the bootstrapped device management accounts Provider ID. Scope is dynamic. This value is set and controlled by the MDM provider. As a best practice, use text that doesnt require XML/URI escaping.
Supported operations are Get and Add.
<a href="" id="provider-providerid-entdevicename"></a>**Provider/*ProviderID*/EntDeviceName**
Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
<a href="" id="provider-providerid-entdmid"></a>**Provider/*ProviderID*/EntDMID**
Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
> [!NOTE]
> Although hardware device IDs are guaranteed to be unique, there is a concern that this is not ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSPs **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
> Although hardware device IDs are guaranteed to be unique, there's a concern that this isn't ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSPs **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
This node is required and must be set by the server before the client certificate renewal is triggered.
<a href="" id="provider-providerid-exchangeid"></a>**Provider/*ProviderID*/ExchangeID**
Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. This is useful for the enterprise management server to correlate and merge records for a device that is managed by exchange and natively managed by a dedicated management server.
Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. The enterprise management server can correlate and merge records for:
- A device that's managed by Exchange.
- A device that's natively managed by a dedicated management server.
> [!NOTE]
> In some cases for the desktop, this node will return "not found" until the user sets up their email.
@ -115,7 +119,7 @@ Optional. Character string that contains the unique Exchange device ID used by t
Supported operation is Get.
The following is a Get command example.
The following XML is a Get command example:
```xml
<Get>
@ -128,13 +132,8 @@ The following is a Get command example.
</Get>
```
<a href="" id="provider-providerid-publisherdeviceid"></a>**Provider/*ProviderID*/PublisherDeviceID**
(Only for Windows 10 Mobile.) Optional. The PublisherDeviceID is a device-unique ID created based on the enterprise Publisher ID. Publisher ID is created based on the enterprise application token and enterprise ID via ./Vendor/MSFT/EnterpriseAppManagement/&lt;enterprise id&gt;/EnrollmentToken. It is to ensure that for one enterprise, each device has a unique ID associated with it. For the same device, if it has multiple enterprises applications, each enterprise is identified differently.
Supported operation is Get.
<a href="" id="provider-providerid-signedentdmid"></a>**Provider/*ProviderID*/SignedEntDMID**
Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the MDM server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally.
Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the MDM provider to verify client identity to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally.
Supported operation is Get.
@ -144,57 +143,61 @@ Optional. The time in OMA DM standard time format. This node is designed to redu
Supported operation is Get.
<a href="" id="provider-providerid-managementserviceaddress"></a>**Provider/*ProviderID*/ManagementServiceAddress**
Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server to allow the server to load balance to another server in situations where too many devices are connected to the server.
Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server. It allows the server to load balance to another server when too many devices are connected to the server.
> [!NOTE]
> When the **ManagementServerAddressList** value is set, the device ignores the value.
The DMClient CSP will save the address to the same location as the w7 and DMS CSPs to ensure the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped via the [w7 APPLICATION configuration service provider](w7-application-csp.md).
The DMClient CSP will save the address to the same location as the w7 and DMS CSPs. The save ensures the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped using the [w7 APPLICATION configuration service provider](w7-application-csp.md).
Starting in Windows 10, version 1511, this node supports multiple server addresses in the format &lt;URL1&gt;&lt;URL2&gt;&lt;URL3&gt;. If there is only a single URL, then the &lt;&gt; are not required. This is supported for both desktop and mobile devices.
Starting in Windows 10, version 1511, this node supports multiple server addresses in the format &lt;URL1&gt;&lt;URL2&gt;&lt;URL3&gt;. If there's only a single URL, then the &lt;&gt; aren't required. This feature is supported on Windows client devices.
During a DM session, the device will use the first address on the list and then keep going down the list until a successful connection is achieved. The DM client should cache the successfully connected server URL for the next session.
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-upn"></a>**Provider/*ProviderID*/UPN**
Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This is useful in scenarios where the user email address changes in the identity system, or in the scenario where the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This information is useful when the user email address changes in the identity system. Or, when the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
Supported operations are Get and Replace.
<a href="" id="provider-providerid-helpphonenumber"></a>**Provider/*ProviderID*/HelpPhoneNumber**
Optional. The character string that allows the user experience to include a customized help phone number that the end user will be able to view and use if they need help or support.
Optional. The character string that allows the user experience to include a customized help phone number. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete.
<a href="" id="provider-providerid-helpwebsite"></a>**Provider/*ProviderID*/HelpWebsite**
Optional. The character string that allows the user experience to include a customized help website that the end user will be able to view and use if they need help or support.
Optional. The character string that allows the user experience to include a customized help website. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete
<a href="" id="provider-providerid-helpemailaddress"></a>**Provider/*ProviderID*/HelpEmailAddress**
Optional. The character string that allows the user experience to include a customized help email address that the end user will be able to view and use if they need help or support.
Optional. The character string that allows the user experience to include a customized help email address. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete.
<a href="" id="provider-providerid-requiremessagesigning"></a>**Provider/*ProviderID*/RequireMessageSigning**
Boolean type. Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included as part of the authenticated attributes in the signature.
Boolean type. Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included in the authenticated attributes in the signature.
Default value is false, where the device management client does not include authentication information in the management session HTTP header. Optionally set to true, where the client authentication information is provided in the management session HTTP header.
Default value is false, where the device management client doesn't include authentication information in the management session HTTP header. Optionally set to true, where the client authentication information is provided in the management session HTTP header.
When enabled, the MDM server should validate the signature and the timestamp using the device identify certificate enrolled as part of MS-MDE, ensure the certificate and time are valid, and verify that the signature is trusted by the MDM server.
When enabled, the MDM provider should:
- Validate the signature and the timestamp using the device identify certificate enrolled as part of Mobile Device Enrollment protocol (MS-MDE).
- Ensure the certificate and time are valid.
- Verify that the signature is trusted by the MDM provider.
Supported operations are Get, Replace, and Delete.
<a href="" id="provider-providerid-syncapplicationversion"></a>**Provider/*ProviderID*/SyncApplicationVersion**
Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there is a client behavior change between 1.0 and 2.0.
Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there's a client behavior change between 1.0 and 2.0.
> [!NOTE]
> This node is only supported in Windows 10 and later.
Once you set the value to 2.0, it will not go back to 1.0.
Once you set the value to 2.0, it won't go back to 1.0.
@ -208,18 +211,18 @@ When you query this node, a Windows 10 client will return 2.0 and a Windows 8.
Supported operation is Get.
<a href="" id="provider-providerid-aadresourceid"></a>**Provider/*ProviderID*/AADResourceID**
Optional. This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
Optional. This ResourceID is used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you're trying to access.
For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
<a href="" id="provider-providerid-enableomadmkeepalivemessage"></a>**Provider/*ProviderID*/EnableOmaDmKeepAliveMessage**
Added in Windows 10, version 1511. A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow.
When the server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending.
When the server sends a configuration request, the client can take longer than the HTTP timeout to get all information together. The session might end unexpectedly because of the timeout. By default, the MDM client doesn't send an alert that a DM request is pending.
To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information.
To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. Send a SyncML message with a specific device alert element in the body until the client can respond back to the server with the requested information.
Here is an example of DM message sent by the device when it is in pending state:
Here's an example of DM message sent by the device when it's in pending state:
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
@ -266,12 +269,12 @@ Added in Windows 10, version 1607. Returns the hardware device ID.
Supported operation is Get.
<a href="" id="provider-providerid-commercialid"></a>**Provider/*ProviderID*/CommercialID**
Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization.
Added in Windows 10, version 1607. It configures the identifier that uniquely associates the device's diagnostic data belonging to the organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization, then use this setting to provide that identification. The value for this setting is provided by Microsoft in the onboarding process for the program. If you disable or don't configure this policy setting, then Microsoft can't use this identifier to associate this machine and its diagnostic data with your organization.
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="provider-providerid-managementserveraddresslist"></a>**Provider/*ProviderID*/ManagementServerAddressList**
Added in Windows 10, version 1607. The list of management server URLs in the format &lt;URL1&gt;&lt;URL2&gt;&lt;URL3&gt;, and so on. If there is only one, the angle brackets (&lt;&gt;) are not required.
Added in Windows 10, version 1607. The list of management server URLs in the format &lt;URL1&gt;&lt;URL2&gt;&lt;URL3&gt;, and so on. If there's only one, the angle brackets (&lt;&gt;) aren't required.
> [!NOTE]
> The &lt; and &gt; should be escaped.
@ -294,12 +297,12 @@ Added in Windows 10, version 1607. The list of management server URLs in the fo
If ManagementServerAddressList node is set, the device will only use the server URL configured in this node and ignore the ManagementServiceAddress value.
When the server is not responding after a specified number of retries, the device tries to use the next server URL in the list until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first on in the list.
When the server isn't responding after a specified number of retries, the device tries to use the next server URL in the list. It keeps trying until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first one in the list.
Supported operations are Get and Replace. Value type is string.
<a href="" id="provider-providerid-managementservertoupgradeto"></a>**Provider/*ProviderID*/ManagementServerToUpgradeTo**
Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM server to upgrade to for a Mobile Application Management (MAM) enrolled device.
Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM provider to upgrade to for a Mobile Application Management (MAM) enrolled device.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
@ -310,18 +313,18 @@ Supported operations are Add, Delete, Get, and Replace. Value type is integer.
<a href="" id="provider-providerid-aadsenddevicetoken"></a>**Provider/*ProviderID*/AADSendDeviceToken**
Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained.
Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this feature will cause the client to send a Device Token if the User Token can't be obtained.
Supported operations are Add, Delete, Get, and Replace. Value type is bool.
<a href="" id="provider-providerid-poll"></a>**Provider/*ProviderID*/Poll**
Optional. Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
Optional. Polling schedules must use the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
Supported operations are Get and Add.
There are three schedules managed under the Poll node which enable a rich polling schedule experience to provide greater flexibility in managing the way in which devices poll the management server. There are a variety of ways in which polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules in order to restore the polling schedules back to a valid configuration.
There are three schedules managed under the Poll node. They enable a rich polling schedule experience to provide greater flexibility in managing the way devices poll the management server. There are various ways that polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules to restore the polling schedules back to a valid configuration.
If there is no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window.
If there's no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window.
**Valid poll schedule: sigmoid polling schedule with infinite schedule (Recommended).**
@ -540,65 +543,65 @@ If there is no infinite schedule set, then a 24-hour schedule is created and sch
If the device was previously enrolled in MDM with polling schedule configured via registry key values directly, the MDM server that supports using DMClient CSP to update polling schedule must first send an Add command to add a **./Vendor/MSFT/DMClient/Enrollment/&lt;ProviderID&gt;/Poll** node before it sends a Get/Replace command to query or update polling parameters via DMClient CSP
If the device was previously enrolled in MDM with polling schedule configured using the registry key values directly, the MDM provider that supports using DMClient CSP to update polling schedule must first send an Add command to add a **./Vendor/MSFT/DMClient/Enrollment/&lt;ProviderID&gt;/Poll** node before it sends a Get/Replace command to query or update polling parameters using the DMClient CSP
When using the DMClient CSP to configure polling schedule parameters, the server must not set all six polling parameters to 0, or set all 3 number of retry nodes to 0 because it will cause a configuration failure.
When using the DMClient CSP to configure polling schedule parameters, the server must not set all six polling parameters to 0, or set all three number of retry nodes to 0. It will cause a configuration failure.
<a href="" id="provider-providerid-poll-intervalforfirstsetofretries"></a>**Provider/*ProviderID*/Poll/IntervalForFirstSetOfRetries**
Optional. The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /&lt;ProviderID&gt;/Poll/NumberOfFirstRetries. If IntervalForFirstSetOfRetries is not set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.
Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `/<ProviderID>/Poll/NumberOfFirstRetries`. If IntervalForFirstSetOfRetries isn't set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.
Supported operations are Get and Replace.
The IntervalForFirstSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxRetryInterval path that previously utilized the Registry CSP.
The IntervalForFirstSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxRetryInterval path that previously used the Registry CSP.
<a href="" id="provider-providerid-poll-numberoffirstretries"></a>**Provider/*ProviderID*/Poll/NumberOfFirstRetries**
Optional. The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value is not 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule will not set in this case. The default value is 10.
Optional. The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value isn't 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule won't set in this case. The default value is 10.
Supported operations are Get and Replace.
The NumberOfFirstRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxNumRetries path that previously utilized the Registry CSP.
The NumberOfFirstRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxNumRetries path that previously used the Registry CSP.
The first set of retries is intended to give the management server some buffered time to be ready to send policies and settings configuration to the device. The total time for first set of retries should not be more than a few hours. The server should not set NumberOfFirstRetries to be 0. RemainingScheduledRetries is used for the long run device polling schedule.
The first set of retries gives the management server some buffered time to be ready to send policy and setting configurations to the device. The total time for first set of retries shouldn't be more than a few hours. The server shouldn't set NumberOfFirstRetries to 0. RemainingScheduledRetries is used for the long run device polling schedule.
<a href="" id="provider-providerid-poll-intervalforsecondsetofretries"></a>**Provider/*ProviderID*/Poll/IntervalForSecondSetOfRetries**
Optional. The waiting time (in minutes) for the second set of retries as specified by the number of retries in /&lt;ProviderID&gt;/Poll/NumberOfSecondRetries. Default value is 0. If this value is set to zero, then this schedule is disabled.
Optional. The waiting time (in minutes) for the second set of retries, which is the number of retries in `/<ProviderID>/Poll/NumberOfSecondRetries`. Default value is 0. If this value is set to zero, then this schedule is disabled.
Supported operations are Get and Replace.
The IntervalForSecondSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\RetryInterval path that previously utilized the Registry CSP.
The IntervalForSecondSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\RetryInterval path that previously used the Registry CSP.
<a href="" id="provider-providerid-poll-numberofsecondretries"></a>**Provider/*ProviderID*/Poll/NumberOfSecondRetries**
Optional. The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries is not set to 0 AND the first set of retries is not set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled.
Optional. The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries isn't set to 0 AND the first set of retries isn't set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled.
Supported operations are Get and Replace.
The NumberOfSecondRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\NumRetries path that previously utilized the Registry CSP.
The NumberOfSecondRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\NumRetries path that previously used the Registry CSP.
The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule.
<a href="" id="provider-providerid-poll-intervalforremainingscheduledretries"></a>**Provider/*ProviderID*/Poll/IntervalForRemainingScheduledRetries**
Optional. The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /&lt;ProviderID&gt;/Poll/NumberOfRemainingScheduledRetries. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.
Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `/<ProviderID>/Poll/NumberOfRemainingScheduledRetries`. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.
Supported operations are Get and Replace.
The IntervalForRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2RetryInterval path that previously utilized the Registry CSP.
The IntervalForRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2RetryInterval path that previously used the Registry CSP.
<a href="" id="provider-providerid-poll-numberofremainingscheduledretries"></a>**Provider/*ProviderID*/Poll/NumberOfRemainingScheduledRetries**
Optional. The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries are not set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled.
Optional. The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries aren't set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled.
Supported operations are Get and Replace.
The NumberOfRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2NumRetries path that previously utilized the Registry CSP.
The NumberOfRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2NumRetries path that previously used the Registry CSP.
The RemainingScheduledRetries is used for the long run device polling schedule. IntervalForRemainingScheduledRetries should not be set smaller than 1440 minutes (24 hours) in Windows Phone 8.1 device. Windows Phone 8.1 supports MDM server push.
The RemainingScheduledRetries is used for the long run device polling schedule.
<a href="" id="provider-providerid-poll-pollonlogin"></a>**Provider/*ProviderID*/Poll/PollOnLogin**
Optional. Boolean value that allows the IT admin to require the device to start a management session on any user login, regardless of if the user has preciously logged in. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Optional. Boolean value that allows the IT admin to require the device to start a management session on any user login, even if the user has previously logged in. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-poll-alluserspollonfirstlogin"></a>**Provider/*ProviderID*/Poll/AllUsersPollOnFirstLogin**
Optional. Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system; subsequent logins will not trigger an MDM session. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Optional. Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system. Later sign-ins won't trigger an MDM session. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Supported operations are Add, Get, and Replace.
@ -609,7 +612,7 @@ Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, p
Default = Locked
> [!Note]
>If the device is not a Secured-core PC, then this feature will not work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
>If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
<a href="" id="provider-providerid-configlock-lock"></a>**Provider/*ProviderID*/ConfigLock/Lock**
@ -635,12 +638,12 @@ Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions
Supported operations are Add and Delete.
<a href="" id="provider-providerid-push-pfn"></a>**Provider/*ProviderID*/Push/PFN**
Required. A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it is managing.
Required. A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it's managing.
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-push-channeluri"></a>**Provider/*ProviderID*/Push/ChannelURI**
Required. A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null.
Required. A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device, based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null.
Supported operation is Get.
@ -720,12 +723,12 @@ Optional. Added in Windows 10, version 1703. Specifies the body text of the all
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-customenrollmentcompletepage-hyperlinkhref"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkHref**
Optional. Added in Windows 10, version 1703. Specifies the URL that is shown at the end of the MDM enrollment flow.
Optional. Added in Windows 10, version 1703. Specifies the URL that's shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-customenrollmentcompletepage-hyperlinktext"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkText**
Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that is shown at the end of the MDM enrollment flow.
Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that's shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
@ -733,39 +736,39 @@ Supported operations are Add, Delete, Get, and Replace. Value type is string.
Optional node. Added in Windows 10, version 1709.
<a href="" id="provider-providerid-firstsyncstatus-expectedpolicies"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedPolicies**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to configure, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectednetworkprofiles "></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to provision, delimited by the character L"\xF000".
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to configure, delimited by the character L"\xF000".
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedmsiapppackages"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We will not verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedmodernapppackages"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedModernAppPackages**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. For example,
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example,
``` syntax
./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000"
./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2
```
This represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
This syntax represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedpfxcerts"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedPFXCerts**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedscepcerts"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedSCEPCerts**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
@ -775,42 +778,42 @@ Required. Added in Windows 10, version 1709. This node determines how long we wi
Supported operations are Get and Replace. Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-serverhasfinishedprovisioning"></a>**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning**
Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished configuring the device. It was added so that the server can “change its mind" about what it needs to configure on the device. When this node is set, many other DM Client nodes can't be changed. If this node isn't True, the UX will consider the configuration a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
Supported operations are Get and Replace. Value type is boolean.
<a href="" id="provider-providerid-firstsyncstatus-issyncdone"></a>**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**
Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully configured. `Set` triggers the UX to override whatever state it's in, and tell the user that the device is configured. It can't be set from True to False (it won't change its mind if the sync is done), and it can't be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is boolean.
<a href="" id="provider-providerid-firstsyncstatus-wasdevicesuccessfullyprovisioned"></a>**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned**
Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully configured. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value can't be changed again. The client will change the value of success or failure and update the node. The server can force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-blockinstatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage**
Required. Device Only. Added in Windows 10, version 1803. This node determines whether or not the MDM progress page is blocking in the Azure AD joined or DJ++ case, as well as which remediation options are available.
Required. Device Only. Added in Windows 10, version 1803. This node determines if the MDM progress page is blocking in the Azure AD joined or DJ++ case, and which remediation options are available.
Supported operations are Get and Replace. Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-allowcollectlogsbutton"></a>**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton**
Required. Added in Windows 10, version 1803. This node decides whether or not the MDM progress page displays the Collect Logs button.
Required. Added in Windows 10, version 1803. This node decides if the MDM progress page displays the Collect Logs button.
Supported operations are Get and Replace. Value type is bool.
<a href="" id="provider-providerid-firstsyncstatus-customerrortext"></a>**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText**
Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do in case of error.
Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do if there's an error.
Supported operations are Add, Get, Delete, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-skipdevicestatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage**
Required. Device only. Added in Windows 10, version 1803. This node decides whether or not the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
Supported operations are Get and Replace. Value type is bool.
<a href="" id="provider-providerid-firstsyncstatus-skipuserstatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage**
Required. Device only. Added in Windows 10, version 1803. This node decides whether or not the MDM user progress page skips after Azure AD joined or DJ++ after user login.
Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM user progress page skips after Azure AD joined or DJ++ after user login.
Supported operations are Get and Replace. Value type is bool.
@ -820,12 +823,12 @@ Required node. Added in Windows 10, version 1709.
Supported operation is Get.
<a href="" id="provider-providerid-enhancedapplayersecurity-securitymode"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/SecurityMode**
Required. Added in Windows 10, version 1709. This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
Required. Added in Windows 10, version 1709. This node specifies how the client will do the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="provider-providerid-enhancedapplayersecurity-usecertifrevocationcheckoffline"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline**
Required. Added in Windows 10, version 1709. This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set.
Required. Added in Windows 10, version 1709. When this node is set, it tells the client to use the certificate even when the client can't check the certificate's revocation status because the device is offline. The default value is set.
Supported operations are Add, Get, Replace, and Delete. Value type is boolean.
@ -840,13 +843,13 @@ Required. Added in Windows 10, version 1709. The node contains the secondary cer
Supported operations are Add, Get, Replace, and Delete. Value type is string.
<a href="" id="provider-providerid-unenroll"></a>**Provider/*ProviderID*/Unenroll**
Required. The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `<Data>` tag under the `<Item>` element. Scope is permanent.
Required. The node accepts unenrollment requests using the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `<Data>` tag under the `<Item>` element. Scope is permanent.
Supported operations are Get and Exec.
Note that &lt;LocURI&gt;./Vendor/MSFT/DMClient/Unenroll&lt;/LocURI&gt; is supported for backward compatibility.
&lt;LocURI&gt;./Vendor/MSFT/DMClient/Unenroll&lt;/LocURI&gt; is supported for backward compatibility.
The following SyncML shows how to remotely unenroll the device. Note that this command should be inserted in the general DM packages sent from the server to the device.
The following SyncML shows how to remotely unenroll the device. This command should be inserted in the general DM packages sent from the server to the device.
```xml
<Exec>
@ -864,17 +867,7 @@ The following SyncML shows how to remotely unenroll the device. Note that this c
</Exec>
```
## Related topics
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

31
windows/client-management/mdm/dmprocessconfigxmlfiltered.md
View File

@ -25,26 +25,27 @@ ms.date: 06/26/2017
# DMProcessConfigXMLFiltered function
> [!Important]
> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. Please see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)) for more information about the new process for provisioning connectivity configuration. However, this function is still supported for other OEM uses.
> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. For more information about the new process for provisioning connectivity configuration, see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)). However, this function is still supported for other OEM uses.
Configures phone settings by using OMA Client Provisioning XML. Use of this function is strictly limited to the following scenarios.
- Adding dynamic credentials for OMA Client Provisioning.
- Manufacturing test applications. These applications and the supporting drivers must be removed from the phones before they are sold.
- Manufacturing test applications. These applications and the supporting drivers must be removed from the phones before they're sold.
Microsoft recommends that this function is not used to configure the following types of settings.
Microsoft recommends that this function isn't used to configure the following types of settings:
- Security settings that are configured by using CertificateStore, SecurityPolicy, and RemoteWipe, unless they are related to OMA DM or OMA Client Provisioning security policies.
- Security settings that are configured using CertificateStore, SecurityPolicy, and RemoteWipe, unless they're related to OMA DM or OMA Client Provisioning security policies
- Non-cellular data connection settings (such as Hotspot settings).
- File system files and registry settings, unless they are used for OMA DM account management, mobile operator data connection settings, or manufacturing tests.
- File system files and registry settings, unless they're used for OMA DM account management, mobile operator data connection settings, or manufacturing tests
- Email settings.
- Email settings
> **Note**  The **DMProcessConfigXMLFiltered** function has full functionality in Windows 10 Mobile and Windows Phone 8.1, but it has a read-only functionality in Windows 10 desktop.
> [!Note]
> The **DMProcessConfigXMLFiltered** function has full functionality in Windows Phone 8.1, but it has a read-only functionality in Windows 10.
@ -63,13 +64,13 @@ HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered(
*pszXmlIn*
<ul>
<li>[in] The nullterminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. <strong>DMProcessConfigXMLFiltered</strong> accepts only OMA Client Provisioning XML (also known as WAP provisioning). It does not accept OMA DM SyncML XML (also known as SyncML).</li>
<li>[in] The nullterminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. <strong>DMProcessConfigXMLFiltered</strong> accepts only OMA Client Provisioning XML (also known as WAP provisioning). It doesn't accept OMA DM SyncML XML (also known as SyncML).</li>
</ul>
<br>
*rgszAllowedCspNode*
<ul>
<li>[in] Array of <strong>WCHAR\</strong>* that specify which configuration service provider nodes are allowed to be invoked.</li>
<li>[in] Array of <strong>WCHAR\</strong>* that specify which configuration service provider nodes can be invoked.</li>
</ul>
<br>
@ -85,11 +86,11 @@ HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered(
</ul>
<br>
If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document does not contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned.
If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document doesn't contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned.
## Return value
Returns the standard **HRESULT** value **S\_OK** to indicate success. The following table shows the additional error codes that may be returned.
Returns the standard **HRESULT** value **S\_OK** to indicate success. The following table shows more error codes that can be returned:
<table>
<colgroup>
@ -130,9 +131,9 @@ Returns the standard **HRESULT** value **S\_OK** to indicate success. The follow
## Remarks
The processing of the XML is transactional; either the entire document gets processed successfully or none of the settings are processed. Therefore, the **DMProcessConfigXMLFiltered** function processes only one XML configuration request at a time.
The processing of the XML is transactional. Either the entire document gets processed successfully, or none of the settings are processed. So, the **DMProcessConfigXMLFiltered** function processes only one XML configuration request at a time.
The usage of **DMProcessConfigXMLFiltered** depends on the configuration service providers that are used. For example, if the input .provxml contains the following two settings:
The usage of **DMProcessConfigXMLFiltered** depends on the configuration service providers that are used. For example, if the input `.provxml` contains the following two settings:
``` XML
<wap-provisioningdoc>
@ -163,9 +164,9 @@ LPCWSTR rgszAllowedCspNodes[] =
};
```
This array of configuration service provider names indicates which .provxml contents should be present. If the provxml contains "EMAIL2" provisioning but *rgszAllowedCspNodes* does not contain EMAIL2, then **DMProcessConfigXMLFiltered** fails with an **E\_ACCESSDENIED** error code.
This array of configuration service provider names indicates which `.provxml` contents should be present. If the provxml contains "EMAIL2" provisioning but *rgszAllowedCspNodes* doesn't contain EMAIL2, then **DMProcessConfigXMLFiltered** fails with an **E\_ACCESSDENIED** error code.
The following code sample shows how this array would be passed in. Note that *szProvxmlContent* does not show the full XML contents for brevity. In actual usage, the "…" would contain the full XML string shown above.
The following code sample shows how this array would be passed in. The *szProvxmlContent* doesn't show the full XML contents for brevity. In actual usage, the "…" would contain the full XML string shown above.
``` C++
WCHAR szProvxmlContent[] = L"<wap-provisioningdoc>...</wap-provisioningdoc>";

126
windows/client-management/mdm/email2-csp.md
View File

@ -17,13 +17,14 @@ ms.date: 06/26/2017
The EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts.
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_MAIL capabilities to be accessed from a network configuration application.
On the desktop, only per user configuration is supported.
> [!Note]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_MAIL capabilities to be accessed from a network configuration application.
 
On Windows client, only per user configuration is supported. 
The following shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
```
The following information shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
```console
./Vendor/MSFT
EMAIL2
----Account GUID
@ -60,9 +61,10 @@ EMAIL2
------------8128000B
------------812C000B
```
In Windows 10 Mobile, after the users out of box experience, an OEM or mobile operator can use the EMAIL2 configuration service provider to provision the device with a mobile operators proprietary mail over the air. After provisioning, the **Start** screen has a tile for the proprietary mail provider and there is also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status.
Configuration data is not encrypted when sent over the air (OTA). Be aware that this is a potential security risk when sending sensitive configuration data, such as passwords.
After provisioning, the **Start** screen has a tile for the proprietary mail provider and there's also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status.
Configuration data isn't encrypted when sent over the air (OTA). This is a potential security risk when sending sensitive configuration data, such as passwords.
> [!IMPORTANT]
> All Add and Replace commands need to be wrapped in an Atomic section.
@ -73,7 +75,7 @@ The configuration service provider root node.
Supported operation is Get.
<a href="" id="guid"></a>***GUID***
Defines a specific email account. A globally unique identifier (GUID) must be generated for each email account on the device. Provisioning with an account that has the same GUID as an existing one does not create the new account and Add command will fail in this case.
Defines a specific email account. A globally unique identifier (GUID) must be generated for each email account on the device. Provisioning with an account that has the same GUID as an existing one doesn't create the new account and Add command will fail in this case.
Supported operations are Get, Add, and Delete.
@ -86,14 +88,14 @@ The braces {} around the GUID are required in the EMAIL2 configuration service p
<a href="" id="accounticon"></a>**ACCOUNTICON**
Optional. Returns the location of the icon associated with the account.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings, email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired.
The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings, email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added.
<a href="" id="accounttype"></a>**ACCOUNTTYPE**
Required. Specifies the type of account.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
Valid values are:
@ -104,60 +106,61 @@ Valid values are:
<a href="" id="authname"></a>**AUTHNAME**
Required. Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name).
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="authrequired"></a>**AUTHREQUIRED**
Optional. Character string that specifies whether the outgoing server requires authentication.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
Valid values are one of the following:
Value options:
- 0 - Server authentication is not required.
- 0 - Server authentication isn't required.
- 1 - Server authentication is required.
> **Note**  If this value is not specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED.
> [!NOTE]
> If this value isn't specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED.
 
<a href="" id="authsecret"></a>**AUTHSECRET**
Optional. Character string that specifies the user's password. The same password is used for SMTP authentication.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="domain"></a>**DOMAIN**
Optional. Character string that specifies the incoming server credentials domain. Limited to 255 characters.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="dwnday"></a>**DWNDAY**
Optional. Character string that specifies how many days' worth of email should be downloaded from the server.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
Valid values are one of the following:
Value options:
- -1: Specifies that all email currently on the server should be downloaded.
- 7: Specifies that 7 days worth of email should be downloaded.
- 7: Specifies that seven days worth of email should be downloaded.
- 14: Specifies that 14 days worth of email should be downloaded.
- 30: Specifies that 30 days worth of email should be downloaded.
<a href="" id="inserver"></a>**INSERVER**
Required. Character string that specifies the name of the incoming server name and port number. This is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is:
Required. Character string that specifies the name of the incoming server name and port number. This string is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is:
- server name:port number
Supported operations are Get, Add and Replace.
Supported operations are Get, Add, and Replace.
<a href="" id="linger"></a>**LINGER**
Optional. Character string that specifies the length of time between email send/receive updates in minutes.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
Valid values are:
Value options:
- 0 - Email updates must be performed manually.
@ -174,16 +177,16 @@ Optional. Specifies the maximum size for a message attachment. Attachments beyon
The limit is specified in KB
Valid values are 0, 25, 50, 125, and 250.
Value options are 0, 25, 50, 125, and 250.
A value of 0 meaning that no limit will be enforced.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="name"></a>**NAME**
Optional. Character string that specifies the name of the sender displayed on a sent email. It should be set to the users name. Limited to 255 characters.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="outserver"></a>**OUTSERVER**
Required. Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is:
@ -195,14 +198,15 @@ Supported operations are Get, Add, Delete, and Replace.
<a href="" id="replyaddr"></a>**REPLYADDR**
Required. Character string that specifies the reply email address of the user (usually the same as the user email address). Sending email will fail without it. Limited to 255 characters.
Supported operations are Get, Add, Delete and Replace.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="servicename"></a>**SERVICENAME**
Required. Character string that specifies the name of the email service to create or edit (32 characters maximum).
Supported operations are Get, Add, Replace, and Delete.
> **Note**   The EMAIL2 Configuration Service Provider does not support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
> [!NOTE]
> The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
 
@ -211,19 +215,19 @@ Required. Character string that specifies the type of email service to create or
Supported operations are Get, Add, Replace, and Delete.
> **Note**   The EMAIL2 Configuration Service Provider does not support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
> **Note**   The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
 
<a href="" id="retrieve"></a>**RETRIEVE**
Optional. Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated.
Valid values are 512, 1024, 2048, 5120, 20480, and 51200.
Value options are 512, 1024, 2048, 5120, 20480, and 51200.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="serverdeleteaction"></a>**SERVERDELETEACTION**
Optional. Character string that specifies how message is deleted on server. Valid values:
Optional. Character string that specifies how message is deleted on server. Value options:
- 1 - delete message on the server
- 2 - keep the message on the server (delete to the Trash folder).
@ -238,7 +242,7 @@ Optional. If this flag is set, the account only uses the cellular network and no
Value type is string. Supported operations are Get, Add, Replace, and Delete.
<a href="" id="syncingcontenttypes"></a>**SYNCINGCONTENTTYPES**
Required. Specifies a bitmask for which content types are supported for syncing (eg: Mail, Contacts, Calendar).
Required. Specifies a bitmask for which content types are supported for syncing, like Mail, Contacts, and Calendar.
- No data (0x0)
- Contacts (0x1)
@ -257,12 +261,12 @@ Required. Specifies a bitmask for which content types are supported for syncing
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="contactsserver"></a>**CONTACTSSERVER**
Optional. Server for contact sync if it is different from the email server.
Optional. Server for contact sync if it's different from the email server.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="calendarserver"></a>**CALENDARSERVER**
Optional. Server for calendar sync if it is different from the email server.
Optional. Server for calendar sync if it's different from the email server.
Supported operations are Get, Add, Replace, and Delete.
@ -289,38 +293,38 @@ Supported operations are Get, Add, Replace, and Delete.
<a href="" id="smtpaltauthname"></a>**SMTPALTAUTHNAME**
Optional. Character string that specifies the display name associated with the user's alternative SMTP email account.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="smtpaltdomain"></a>**SMTPALTDOMAIN**
Optional. Character string that specifies the domain name for the user's alternative SMTP account.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="smtpaltenabled"></a>**SMTPALTENABLED**
Optional. Character string that specifies if the user's alternate SMTP account is enabled.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
A value of "FALSE" specifies that the user's alternate SMTP email account is disabled. A value of "TRUE" specifies that the user's alternate SMTP email account is enabled.
A value of "FALSE" means the user's alternate SMTP email account is disabled. A value of "TRUE" means that the user's alternate SMTP email account is enabled.
<a href="" id="smtpaltpassword"></a>**SMTPALTPASSWORD**
Optional. Character string that specifies the password for the user's alternate SMTP account.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="tagprops"></a>**TAGPROPS**
Optional. Defines a group of properties with non-standard element names.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="tagprops-8128000b"></a>**TAGPROPS/8128000B**
Optional. Character string that specifies if the incoming email server requires SSL.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
Value is one of the following:
Value options:
- 0 - SSL is not required.
- 0 - SSL isn't required.
- 1 - SSL is required.
<a href="" id="tagprops-812c000b"></a>**TAGPROPS/812C000B**
@ -328,49 +332,39 @@ Optional. Character string that specifies if the outgoing email server requires
Supported operations are Get and Replace.
Value is one of the following:
Value options:
- 0 - SSL is not required.
- 0 - SSL isn't required.
- 1 - SSL is required.
## Remarks
When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted and all messages and other properties that the transport (for example, Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted. All messages and other properties that the transport (like Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it is left out in the \<LocURI>\</LocURI\> block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it's left out in the \<LocURI>\</LocURI\> block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
- The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set.
- If some but not all of the outgoing server credentials parameters are present then the EMAIL2 Configuration Service Provider will be considered in error.
- If some of the outgoing server credentials parameters are present, then the EMAIL2 Configuration Service Provider will be considered in error.
- Account details cannot be queried unless the account GUID is known. Currently, there is no way to perform a top-level query for account GUIDs.
- Account details cannot be queried unless the account GUID is known. Currently, there's no way to perform a top-level query for account GUIDs.
Windows 10 Mobile supports Transport Layer Security (TLS), but this cannot be explicitly enabled through this configuration service provider, and the user cannot enable TLS through the UI. If the connection to the mail server is initiated with deferred SSL, the mail server can send STARTTLS as a server capability and TLS will be enabled. The following steps show how to enable TLS.
If the connection to the mail server is initiated with deferred SSL, the mail server can send STARTTLS as a server capability and TLS will be enabled. The following steps show how to enable TLS.
1. The device attempts to connect to the mail server using SSL.
2. If the SSL connection fails, the device attempts to connect using deferred SSL.
3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device does not attempt another connection.
3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device doesn't attempt another connection.
4. If the user did not select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection.
4. If the user didn't select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection.
5. If the connection succeeds using any of the encryption protocols, the device requests the server capabilities.
6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, the device enables TLS. TLS is not enabled on connections using SSL or non-SSL.
6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, then the device enables TLS. TLS isn't enabled on connections using SSL or non-SSL.
## Related topics
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

233
windows/client-management/mdm/enterprise-app-management.md
View File

@ -1,6 +1,6 @@
---
title: Enterprise app management
description: This topic covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows.
description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows.
ms.assetid: 225DEE61-C3E3-4F75-BC79-5068759DFE99
ms.reviewer:
manager: dansimp
@ -14,7 +14,7 @@ ms.date: 10/04/2021
# Enterprise app management
This topic covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows. It is the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps.
This article covers one of the key mobile device management (MDM) features in Windows 10. It manages the lifecycle of apps across all of Windows. It's the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps.
## Application management goals
@ -26,20 +26,20 @@ Windows 10 offers the ability for management servers to:
- Inventory all apps for a user (Store and non-Store apps)
- Inventory all apps for a device (Store and non-Store apps)
- Uninstall all apps for a user (Store and non-Store apps)
- Provision apps so they are installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
- Provision apps so they're installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
- Remove the provisioned app on the device running Windows 10 for desktop editions
## Inventory your apps
Windows 10 lets you inventory all apps deployed to a user and all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and does not include traditional Win32 apps installed via MSI or executables. When the apps are inventoried they are separated based on the following app classifications:
Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
- nonStore - Apps that were not acquired from the Microsoft Store.
- System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried.
- nonStore - Apps that weren't acquired from the Microsoft Store.
- System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried.
These classifications are represented as nodes in the EnterpriseModernAppManagement CSP.
The following shows the EnterpriseModernAppManagement CSP in a tree format.
The following information shows the EnterpriseModernAppManagement CSP in a tree format:
```console
./Device/Vendor/MSFT
@ -145,13 +145,10 @@ EnterpriseAppManagement
Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System).
Inventory can be performed recursively at any level from the AppManagement node through the package full name. Inventory can also be performed only for a specific inventory attribute.
Inventory can run recursively at any level from the AppManagement node through the package full name. Inventory can also run only for a specific inventory attribute.
Inventory is specific to the package full name and lists bundled packs and resources packs as applicable under the package family name.
> [!NOTE]
> On Windows 10 Mobile, XAP packages have the product ID in place of both the package family name and package full name.
Here are the nodes for each package full name:
- Name
@ -172,11 +169,11 @@ For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](
### App inventory
You can use the EnterpriseModernAppManagement CSP to query for all apps installed for a user or device. The query returns all apps regardless if they were installed via MDM or other methods. Inventory can be performed at the user or device level. Inventory at the device level will return information for all users on the device.
You can use the EnterpriseModernAppManagement CSP to query for all apps installed for a user or device. The query returns all apps, even if they were installed using MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device.
Note that performing a full inventory of a device can be resource intensive on the client based on the hardware and number of apps that are installed. The data returned can also be very large. You may want to chunk these requests to reduce the impact to clients and network traffic.
Doing a full inventory of a device can be resource-intensive based on the hardware and number of apps that are installed. The data returned can also be large. You may want to chunk these requests to reduce the impact to clients and network traffic.
Here is an example of a query for all apps on the device.
Here's an example of a query for all apps on the device.
```xml
<!-- Get all apps under AppManagement -->
@ -190,7 +187,7 @@ Here is an example of a query for all apps on the device.
</Get>
```
Here is an example of a query for a specific app for a user.
Here's an example of a query for a specific app for a user.
```xml
<!-- Get all information of a specific app for a user -->
@ -206,7 +203,7 @@ Here is an example of a query for a specific app for a user.
### Store license inventory
You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses regardless if they were installed via MDM or other methods. Inventory can be performed at the user or device level. Inventory at the device level will return information for all users on the device.
You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses, event if they were installed via MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device.
Here are the nodes for each license ID:
@ -219,7 +216,7 @@ For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](
> [!NOTE]
> The LicenseID in the CSP is the content ID for the license.
Here is an example of a query for all app licenses on a device.
Here's an example of a query for all app licenses on a device.
```xml
<!-- Get all app licenses for the device -->
@ -233,7 +230,7 @@ Here is an example of a query for all app licenses on a device.
</Get>
```
Here is an example of a query for all app licenses for a user.
Here's an example of a query for all app licenses for a user.
```xml
<!-- Get a specific app license for a user -->
@ -249,13 +246,13 @@ Here is an example of a query for all app licenses for a user.
## Enable the device to install non-Store apps
There are two basic types of apps you can deploy: Store apps and enterprise signed apps. To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment.
There are two basic types of apps you can deploy: Store apps and enterprise signed apps. To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment.
### Unlock the device for non-Store apps
To deploy app that are not from the Microsoft Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device provided that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
To deploy apps that aren't from the Microsoft Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device if there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device or a root certificate in the Trusted Root of the device. The policy is not configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device, or a root certificate in the Trusted Root of the device. The policy isn't configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
For more information about the AllowAllTrustedApps policy, see [Policy CSP](policy-configuration-service-provider.md).
@ -291,13 +288,13 @@ Here are some examples.
Development of apps on Windows 10 no longer requires a special license. You can enable debugging and deployment of non-packaged apps using ApplicationManagement/AllowDeveloperUnlock policy in Policy CSP.
AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock is not configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock isn't configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
Deployment of apps to Windows 10 for desktop editions requires that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. Deployment to Windows 10 Mobile does not validate whether the non-Store apps have a valid root of trust on the device.
Deployment of apps to Windows 10 for desktop editions requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device.
For more information about the AllowDeveloperUnlock policy, see [Policy CSP](policy-configuration-service-provider.md).
Here is an example.
Here's an example.
```xml
<!-- Get policy (Default)-->
@ -327,20 +324,20 @@ Here is an example.
## Install your apps
You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store or in some cases from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store. Or, they're installed from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
### Deploy apps to user from the Store
To deploy an app to a user directly from the Microsoft Store, the management server performs an Add and Exec commands on the AppInstallation node of the EnterpriseModernAppManagement CSP. This is only supported in the user context and not supported in the device context.
To deploy an app to a user directly from the Microsoft Store, the management server runs an Add and Exec command on the AppInstallation node of the EnterpriseModernAppManagement CSP. This feature is only supported in the user context, and not supported in the device context.
If you purchased an app from the Store for Business and the app is specified for an online license, the app and license must be acquired directly from the Microsoft Store.
If you purchased an app from the Store for Business and the app is specified for an online license, then the app and license must be acquired directly from the Microsoft Store.
Here are the requirements for this scenario:
- The app is assigned to a user Azure Active Directory (AAD) identity in the Store for Business. You can do this directly in the Store for Business or through a management server.
- The app is assigned to a user Azure Active Directory (Azure AD) identity in the Store for Business. You can assign directly in the Store for Business or through a management server.
- The device requires connectivity to the Microsoft Store.
- Microsoft Store services must be enabled on the device. Note that the UI for the Microsoft Store can be disabled by the enterprise admin.
- The user must be signed in with their AAD identity.
- Microsoft Store services must be enabled on the device. The UI for the Microsoft Store can be disabled by the enterprise admin.
- The user must be signed in with their Azure AD identity.
Here are some examples.
@ -364,9 +361,9 @@ Here are the changes from the previous release:
1. The "{CatID}" reference should be updated to "{ProductID}". This value is acquired as a part of the Store for Business management tool.
2. The value for flags can be "0" or "1"
When using "0" the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1" the management tool does not call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available.
When using "0", the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1", the management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available.
3. The skuid is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync.
3. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync.
### Deploy an offline license to a user
@ -376,10 +373,10 @@ The app license only needs to be deployed as part of the initial installation of
In the SyncML, you need to specify the following information in the Exec command:
- License ID - This is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business.
- License Content - This is specified in the data section. The License Content is the Base64 encoded blob of the license.
- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business.
- License Content - This content is specified in the data section. The License Content is the Base64 encoded blob of the license.
Here is an example of an offline license installation.
Here's an example of an offline license installation.
```xml
<Exec>
@ -405,15 +402,15 @@ Here are the requirements for this scenario:
- The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
- The device does not need to have connectivity to the Microsoft Store, store services, or the have the Microsoft Store UI be enabled.
- The user must be logged in, but association with AAD identity is not required.
- The device doesn't need to have connectivity to the Microsoft Store, store services, or have the Microsoft Store UI be enabled.
- The user must be logged in, but association with Azure AD identity isn't required.
> [!NOTE]
> You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
Here is an example of a line-of-business app installation.
Here's an example of a line-of-business app installation.
```xml
<!-- Add PackageFamilyName -->
@ -440,7 +437,7 @@ Here is an example of a line-of-business app installation.
</Exec>
```
Here is an example of an app installation with dependencies.
Here's an example of an app installation with dependencies.
```xml
<!-- Add PackageFamilyName -->
@ -474,7 +471,7 @@ Here is an example of an app installation with dependencies.
</Exec>
```
Here is an example of an app installation with dependencies and optional packages.
Here's an example of an app installation with dependencies and optional packages.
```xml
<!-- Add PackageFamilyName -->
@ -516,23 +513,23 @@ Here is an example of an app installation with dependencies and optional package
### Provision apps for all users of a device
Provisioning allows you to stage the app to the device and all users of the device can have the app registered on their next login. This is only supported for app purchased from the Store for Business and the app is specified for an offline license or the app is a non-Store app. The app must be offered from a hosted location. The app is installed as a local system. To install to a local file share, the 'local system' of the device must have access to the share.
Provisioning allows you to stage the app to the device and all users of the device can have the app registered on their next login. This feature is only supported for app purchased from the Store for Business, and the app is specified for an offline license or the app is a non-Store app. The app must be offered from a hosted location. The app is installed as a local system. To install to a local file share, the 'local system' of the device must have access to the share.
Here are the requirements for this scenario:
- The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
- The device does not need to have connectivity to the Microsoft Store, or store services enabled.
- The device does not need any AAD identity or domain membership.
- The device doesn't need to have connectivity to the Microsoft Store, or store services enabled.
- The device doesn't need any Azure AD identity or domain membership.
- For nonStore app, your device must be unlocked.
- For Store offline apps, the required licenses must be deployed prior to deploying the apps.
- For Store offline apps, the required licenses must be deployed before deploying the apps.
To provision app for all users of a device from a hosted location, the management server performs an Add and Exec command on the AppInstallation node in the device context. The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
To provision app for all users of a device from a hosted location, the management server runs an Add and Exec command on the AppInstallation node in the device context. The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
> [!NOTE]
> When you remove the provisioned app, it will not remove it from the users that already installed the app.
Here is an example of app installation.
Here's an example of app installation.
> [!NOTE]
> This is only supported in Windows 10 for desktop editions.
@ -564,12 +561,12 @@ Here is an example of app installation.
The HostedInstall Exec command contains a Data node that requires an embedded XML. Here are the requirements for the data XML:
- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPs location.
- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPS location.
- Dependencies can be specified if required to be installed with the package. This is optional.
The DeploymentOptions parameter is only available in the user context.
Here is an example of app installation with dependencies.
Here's an example of app installation with dependencies.
> [!NOTE]
> This is only supported in Windows 10 for desktop editions.
@ -608,22 +605,22 @@ Here is an example of app installation with dependencies.
### Get status of app installations
When an app installation is completed, a Windows notification is sent. You can also query the status of using the AppInstallation node. Here is the list of information you can get back in the query:
When an app installation is completed, a Windows notification is sent. You can also query the status of using the AppInstallation node. Here's the list of information you can get back in the query:
- Status - indicates the status of app installation.
- NOT\_INSTALLED (0) - The node was added, but the execution was not completed.
- INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success this value is updated.
- NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed.
- INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated.
- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear.
- LastError - This is the last error reported by the app deployment server.
- INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear.
- LastError - The last error reported by the app deployment server.
- LastErrorDescription - Describes the last error reported by the app deployment server.
- Status - This is an integer that indicates the progress of the app installation. In cases of an https location, this shows the estimated download progress.
- Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress.
Status is not available for provisioning and only used for user-based installations. For provisioning, the value is always 0.
Status isn't available for provisioning and only used for user-based installations. For provisioning, the value is always 0.
When an app is installed successfully, the node is cleaned up and no longer present. The status of the app can be reported under the AppManagement node.
Here is an example of a query for a specific app installation.
Here's an example of a query for a specific app installation.
```xml
<!-- Get all app status under AppInstallation for a specific app-->
@ -637,7 +634,7 @@ Here is an example of a query for a specific app installation.
</Get>
```
Here is an example of a query for all app installations.
Here's an example of a query for all app installations.
```xml
<!-- Get all app status under AppInstallation-->
@ -653,9 +650,9 @@ Here is an example of a query for all app installations.
### Alert for installation completion
Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
Application installations can take some time to complete. So, they're done asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
Here is an example of an alert.
Here's an example of an alert.
```xml
<Alert>
@ -676,10 +673,10 @@ Here is an example of an alert.
For user-based installation, use the ./User path and for provisioning of apps, use the ./Device path.
The Data field value of 0 (zero) indicates success, otherwise it is an error code. If there is a failure, you can get more details from the AppInstallation node.
The Data field value of 0 (zero) indicates success. Otherwise it's an error code. If there's a failure, you can get more details from the AppInstallation node.
> [!NOTE]
> At this time, the alert for Store app installation is not yet available.
> At this time, the alert for Store app installation isn't yet available.
## Uninstall your apps
@ -687,12 +684,12 @@ The Data field value of 0 (zero) indicates success, otherwise it is an error cod
You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes:
- AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business.
- nonStore - These apps that were not acquired from the Microsoft Store.
- System - These apps are part of the OS. You cannot uninstall these apps.
- nonStore - These apps that weren't acquired from the Microsoft Store.
- System - These apps are part of the OS. You can't uninstall these apps.
To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family name and package full name.
Here is an example for uninstalling all versions of an app for a user.
Here's an example for uninstalling all versions of an app for a user.
```xml
<!-- Uninstall App for a Package Family-->
@ -706,7 +703,7 @@ Here is an example for uninstalling all versions of an app for a user.
</Delete>
```
Here is an example for uninstalling a specific version of the app for a user.
Here's an example for uninstalling a specific version of the app for a user.
```xml
<!-- Uninstall App for a specific package full name-->
@ -722,7 +719,7 @@ Here is an example for uninstalling a specific version of the app for a user.
### Removed provisioned apps from a device
You can remove provisioned apps from a device for a specific version or for all versions of a package family. When a provisioned app is removed, it is not available to future users for the device. Logged in users who has the app registered to them will continue to have access to the app. If you want to removed the app for those users, you must explicitly uninstall the app for those users.
You can remove provisioned apps from a device for a specific version, or for all versions of a package family. When a provisioned app is removed, it isn't available to future users for the device. Logged in users who have the app registered to them will continue to have access to the app. If you want to remove the app for those users, you must explicitly uninstall the app for those users.
> [!NOTE]
> You can only remove an app that has an inventory value IsProvisioned = 1.
@ -730,7 +727,7 @@ You can remove provisioned apps from a device for a specific version or for all
Removing provisioned app occurs in the device context.
Here is an example for removing a provisioned app from a device.
Here's an example for removing a provisioned app from a device.
```xml
<!— Remove Provisioned App for a Package Family-->
@ -744,7 +741,7 @@ Here is an example for removing a provisioned app from a device.
</Delete>
```
Here is an example for removing a specific version of a provisioned app from a device:
Here's an example for removing a specific version of a provisioned app from a device:
```xml
<!-- Remove Provisioned App for a specific package full name-->
@ -762,7 +759,7 @@ Here is an example for removing a specific version of a provisioned app from a d
You can remove app licenses from a device per app based on the content ID.
Here is an example for removing an app license for a user.
Here's an example for removing an app license for a user.
```xml
<!-- Remove App License for a User-->
@ -776,7 +773,7 @@ Here is an example for removing an app license for a user.
</Delete>
```
Here is an example for removing an app license for a provisioned package (device context).
Here's an example for removing an app license for a provisioned package (device context).
```xml
<!-- Remove App License for a provisioned package (device) -->
@ -792,11 +789,11 @@ Here is an example for removing an app license for a provisioned package (device
### Alert for app uninstallation
Uninstallation of an app can take some time complete, hence the uninstallation is performed asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
Uninstallation of an app can take some time complete. So, the uninstall is run asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
For user-based uninstallation, use ./User in the LocURI, and for provisioning, use ./Device in the LocURI.
Here is an example. There is only one uninstall for hosted and store apps.
Here's an example. There's only one uninstall for hosted and store apps.
```xml
<Alert>
@ -822,7 +819,7 @@ Apps installed on a device can be updated using the management server. Apps can
To update an app from Microsoft Store, the device requires contact with the store services.
Here is an example of an update scan.
Here's an example of an update scan.
```xml
<!— Initiate a update scan for a user-->
@ -836,7 +833,7 @@ Here is an example of an update scan.
</Exec>
```
Here is an example of a status check.
Here's an example of a status check.
```xml
<!— Get last error related to the update scan-->
@ -860,11 +857,11 @@ A provisioned app automatically updates when an app update is sent to the user.
### Prevent app from automatic updates
You can prevent specific apps from being automatically updated. This allows you to turn on auto-updates for apps, with specific apps excluded as defined by the IT admin.
You can prevent specific apps from being automatically updated. This feature allows you to turn on auto-updates for apps, with specific apps excluded as defined by the IT admin.
Turning off updates only applies to updates from the Microsoft Store at the device level. This feature is not available at a user level. You can still update an app if the offline packages is pushed from hosted install location.
Turning off updates only applies to updates from the Microsoft Store at the device level. This feature isn't available at a user level. You can still update an app if the offline packages are pushed from hosted install location.
Here is an example.
Here's an example.
```xml
<!— Prevent app from being automatically updated-->
@ -882,96 +879,24 @@ Here is an example.
</Replace>
```
## Additional app management scenarios
## More app management scenarios
The following subsections provide information about additional settings configurations.
### Restrict app installation to the system volume
You can install app on non-system volumes, such as a secondary partition or removable media (USB or SD cards). Using the RestrictApptoSystemVolume policy, you can prevent apps from getting installed or moved to non-system volumes. For more information about this policy, see [Policy CSP](policy-configuration-service-provider.md).
> [!NOTE]
> This is only supported in mobile devices.
Here is an example.
```xml
<!-- Get policy (Default)-->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Result/ApplicationManagement/RestrictAppToSystemVolume?list=StructData</LocURI>
</Target>
</Item>
</Get>
<!-- Update policy -->
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppToSystemVolume</LocURI>
</Target>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
```
### Restrict AppData to the system volume
In Windows 10 Mobile IT administrators can set a policy to restrict user application data for a Microsoft Store app to the system volume, regardless of where the package is installed or moved.
> [!NOTE]
> The feature is only for Windows 10 Mobile.
The RestrictAppDataToSystemVolume policy in [Policy CSP](policy-configuration-service-provider.md) enables you to restrict all user application data to stay on the system volume. When the policy is not configured or if it is disabled, and you move a package or when it is installed to a difference volume, then the user application data will moved to the same volume. You can set this policy to 0 (off, default) or 1.
Here is an example.
```xml
<!-- Get policy (Default)-->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Result/ApplicationManagement/RestrictAppDataToSystemVolume?list=StructData</LocURI>
</Target>
</Item>
</Get>
<!-- Update policy -->
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppDataToSystemVolume</LocURI>
</Target>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
```
The following subsections provide information about more settings configurations.
### Enable shared user app data
The Universal Windows app has the ability to share application data between the users of the device. The ability to share data can be set at a package family level or per device.
The Universal Windows app can share application data between the users of the device. The ability to share data can be set at a package family level or per device.
> [!NOTE]
> This is only applicable to multi-user devices.
The AllowSharedUserAppData policy in [Policy CSP](policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API.
If you disable this policy, applications cannot share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there is any shared data, and /Remove-SharedAppxData to remove it).
If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there's any shared data, and /Remove-SharedAppxData to remove it).
The valid values are 0 (off, default value) and 1 (on).
Here is an example.
Here's an example.
```xml
<!-- Get policy (Default)-->

1
windows/client-management/mdm/index.md
View File

@ -40,6 +40,7 @@ The MDM security baseline includes policies that cover the following areas:
For more details about the MDM policies defined in the MDM security baseline and what Microsofts recommended baseline policy values are, see:
- [MDM Security baseline for Windows 11](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/Windows11-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 2004](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/2004-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 1909](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1909-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 1903](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1903-MDM-SecurityBaseLine-Document.zip)

1
windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
View File

@ -29,7 +29,6 @@ ms.date: 07/22/2020
- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives)
- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#defender-allowfullscanremovabledrivescanning)
- [Defender/AllowIOAVProtection](policy-csp-defender.md#defender-allowioavprotection)
- [Defender/AllowIntrusionPreventionSystem](policy-csp-defender.md#defender-allowintrusionpreventionsystem)
- [Defender/AllowOnAccessProtection](policy-csp-defender.md#defender-allowonaccessprotection)
- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#defender-allowrealtimemonitoring)
- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#defender-allowscanningnetworkfiles)

3
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -5841,9 +5841,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-defender.md#defender-allowioavprotection" id="defender-allowioavprotection">Defender/AllowIOAVProtection</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-allowintrusionpreventionsystem" id="defender-allowintrusionpreventionsystem">Defender/AllowIntrusionPreventionSystem</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-allowonaccessprotection" id="defender-allowonaccessprotection">Defender/AllowOnAccessProtection</a>
</dd>

448
windows/client-management/mdm/policy-csp-browser.md
View File

File diff suppressed because it is too large Load Diff

72
windows/client-management/mdm/policy-csp-defender.md
View File

@ -43,9 +43,6 @@ manager: dansimp
<dd>
<a href="#defender-allowioavprotection">Defender/AllowIOAVProtection</a>
</dd>
<dd>
<a href="#defender-allowintrusionpreventionsystem">Defender/AllowIntrusionPreventionSystem</a>
</dd>
<dd>
<a href="#defender-allowonaccessprotection">Defender/AllowOnAccessProtection</a>
</dd>
@ -690,75 +687,6 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="defender-allowintrusionpreventionsystem"></a>**Defender/AllowIntrusionPreventionSystem**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
Allows or disallows Windows Defender Intrusion Prevention functionality.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="defender-allowonaccessprotection"></a>**Defender/AllowOnAccessProtection**

46
windows/client-management/mdm/policy-csp-security.md
View File

@ -123,51 +123,11 @@ The following list shows the supported values:
<!--Policy-->
<a href="" id="security-allowautomaticdeviceencryptionforazureadjoineddevices"></a>**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Description-->
> [!NOTE]
> This policy has been deprecated in Windows 10, version 1607
<br>
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
>
> - This policy is deprecated in Windows 10, version 1607.<br/>
> - This policy is only enforced in Windows 10 for desktop.
Specifies whether to allow automatic [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined.

8
windows/client-management/mdm/policy-csp-start.md
View File

@ -2215,22 +2215,22 @@ To validate on Desktop, do the following:
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
</tr>
</table>

16
windows/client-management/mdm/policy-csp-update.md
View File

@ -3494,22 +3494,22 @@ This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupd
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
</tr>
</table>
@ -3569,22 +3569,22 @@ The following list shows the supported values:
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
</tr>
</table>

8
windows/client-management/mdm/toc.yml
View File

@ -82,8 +82,6 @@ items:
href: bulk-assign-and-reclaim-seats-from-user.md
- name: Get seats assigned to a user
href: get-seats-assigned-to-a-user.md
- name: Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
href: enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
- name: Certificate renewal
href: certificate-renewal-windows-mdm.md
- name: Disconnecting from the management infrastructure (unenrollment)
@ -151,8 +149,6 @@ items:
items:
- name: BitLocker DDF file
href: bitlocker-ddf-file.md
- name: BOOTSTRAP CSP
href: bootstrap-csp.md
- name: BrowserFavorite CSP
href: browserfavorite-csp.md
- name: CellularSettings CSP
@ -174,8 +170,6 @@ items:
href: clientcertificateinstall-ddf-file.md
- name: CM_CellularEntries CSP
href: cm-cellularentries-csp.md
- name: CM_ProxyEntries CSP
href: cm-proxyentries-csp.md
- name: CMPolicy CSP
href: cmpolicy-csp.md
- name: CMPolicyEnterprise CSP
@ -203,8 +197,6 @@ items:
items:
- name: DeveloperSetup DDF
href: developersetup-ddf.md
- name: DeviceInstanceService CSP
href: deviceinstanceservice-csp.md
- name: DeviceLock CSP
href: devicelock-csp.md
items:

8
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 10/11/2021
ms.date: 11/02/2021
ms.reviewer:
manager: dansimp
---
@ -266,7 +266,7 @@ ADMX Info:
<!--/ADMXMapped-->
<a href="" id="status"></a>**Status**
Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device.
Returns bitmask that indicates status of Application Guard installation for Microsoft Edge and prerequisites on the device.
Value type is integer. Supported operation is Get.
@ -275,11 +275,13 @@ Value type is integer. Supported operation is Get.
- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
- Bit 3 - Set to 1 when Application Guard installed on the client machine.
- Bit 4 - Set to 1 when required Network Isolation Policies are configured.
> [!IMPORTANT]
> If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge.
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
- Bit 6 - Set to 1 when system reboot is required.
<a href="" id="platformstatus"></a>**PlatformStatus**
Added in Windows 10, version 2004. Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device.
Added in Windows 10, version 2004. Applies to Microsoft Office/Generic platform. Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device.
Value type is integer. Supported operation is Get.

28
windows/configuration/TOC.yml
View File

@ -190,14 +190,8 @@
href: wcd/wcd-admxingestion.md
- name: AssignedAccess
href: wcd/wcd-assignedaccess.md
- name: AutomaticTime
href: wcd/wcd-automatictime.md
- name: Browser
href: wcd/wcd-browser.md
- name: CallAndMessagingEnhancement
href: wcd/wcd-callandmessagingenhancement.md
- name: Calling
href: wcd/wcd-calling.md
- name: CellCore
href: wcd/wcd-cellcore.md
- name: Cellular
@ -218,8 +212,6 @@
href: wcd/wcd-developersetup.md
- name: DeviceFormFactor
href: wcd/wcd-deviceformfactor.md
- name: DeviceInfo
href: wcd/wcd-deviceinfo.md
- name: DeviceManagement
href: wcd/wcd-devicemanagement.md
- name: DeviceUpdateCenter
@ -236,10 +228,6 @@
href: wcd/wcd-folders.md
- name: HotSpot
href: wcd/wcd-hotspot.md
- name: InitialSetup
href: wcd/wcd-initialsetup.md
- name: InternetExplorer
href: wcd/wcd-internetexplorer.md
- name: KioskBrowser
href: wcd/wcd-kioskbrowser.md
- name: Licensing
@ -248,22 +236,12 @@
href: wcd/wcd-location.md
- name: Maps
href: wcd/wcd-maps.md
- name: Messaging
href: wcd/wcd-messaging.md
- name: ModemConfigurations
href: wcd/wcd-modemconfigurations.md
- name: Multivariant
href: wcd/wcd-multivariant.md
- name: NetworkProxy
href: wcd/wcd-networkproxy.md
- name: NetworkQOSPolicy
href: wcd/wcd-networkqospolicy.md
- name: NFC
href: wcd/wcd-nfc.md
- name: OOBE
href: wcd/wcd-oobe.md
- name: OtherAssets
href: wcd/wcd-otherassets.md
- name: Personalization
href: wcd/wcd-personalization.md
- name: Policies
@ -272,12 +250,8 @@
href: wcd/wcd-privacy.md
- name: ProvisioningCommands
href: wcd/wcd-provisioningcommands.md
- name: RcsPresence
href: wcd/wcd-rcspresence.md
- name: SharedPC
href: wcd/wcd-sharedpc.md
- name: Shell
href: wcd/wcd-shell.md
- name: SMISettings
href: wcd/wcd-smisettings.md
- name: Start
@ -294,8 +268,6 @@
href: wcd/wcd-tabletmode.md
- name: TakeATest
href: wcd/wcd-takeatest.md
- name: TextInput
href: wcd/wcd-textinput.md
- name: Time
href: wcd/wcd-time.md
- name: UnifiedWriteFilter

70
windows/configuration/wcd/wcd-automatictime.md
View File

@ -1,70 +0,0 @@
---
title: AutomaticTime (Windows 10)
description: This section describes the AutomaticTime settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
ms.date: 04/30/2018
ms.reviewer:
manager: dansimp
---
# AutomaticTime (Windows Configuration Designer reference)
Use these settings to configure automatic time updates. Mobile devices primarily rely on Network Identify and Time zone (NITZ), which is provided by the mobile operator, to automatically update the time on the device. When NITZ is available from the cellular network, there are no issues maintaining accurate time in devices. However, for devices that do not have a SIM or have had the SIM removed for some time, or for devices that have a SIM but NITZ is not supported, the device may run into issues maintaining accurate time on the device.
The OS includes support for Network Time Protocol (NTP), which enables devices to receive time when NITZ is not supported or when cellular data is not available. NTP gets the time by querying a server at a specified time interval. NTP is based on Coordinated Universal Time (UTC) and doesn't support time zone or daylight saving time so users will need to manually update the time zone after an update from NTP if users move between time zones.
## Applies to
| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| [EnableAutomaticTime](#enableautomatictime) | | ✔️ | | | |
| [NetworkTimeUpdateThreshold](#networktimeupdatethreshold) | | ✔️ | | | |
| [NTPEnabled](#ntpenabled) | | ✔️ | | | |
| [NTPRegularSyncInterval](#ntpregularsyncinterval) | | ✔️ | | | |
| [NTPRetryInterval](#ntpretryinterval) | | ✔️ | | | |
| [NTPServer](#ntpserver) | | ✔️ | | | |
| [PreferredSlot](#preferredslot) | | ✔️ | | | |
## EnableAutomaticTime
Set to **True** to enable automatic time and to **False** to disable automatic time.
## NetworkTimeUpdateThreshold
Specify the difference (in number of seconds) between the NITZ information and the current device time before a device time update is triggered.
## NTPEnabled
Set to **True** to enable the NTP client and to **False** to disable the NTP client.
## NTPRegularSyncInterval
Set the regular sync interval for phones that are set to use Network Time Protocol (NTP) time servers. Select a value between `1` and `168` hours, inclusive, The default sync interval is `12` hours.
## NTPRetryInterval
Set the retry interval if the regular sync fails. Select a value between `1` and `24` hours, inclusive.
## NTPServer
Change the default NTP server for phones that are set to use NTP. To enumerate the NTP source server(s) used by the NTP client, set the value for NTPServer to a list of server names, delimited by semi-colons.
**Example**:
`ntpserver1.contoso.com;ntpserver2.fabrikam.com;ntpserver3.contoso.com`
The list should contain one or more server names. The default NTP source server value is `time.windows.com`.
## PreferredSlot
Specify which UICC slot will be preferred for NITZ handling on a C+G dual SIM phone.
- Set to `0` to use the UICC in Slot 0 for NITZ handling.
- Set to '1' to use the UICC in Slot 1 for NITZ handling.

42
windows/configuration/wcd/wcd-callandmessagingenhancement.md
View File

@ -1,42 +0,0 @@
---
title: CallAndMessageEnhancement (Windows 10)
description: This section describes the CallAndMessagingEnhancement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
ms.date: 09/21/2017
ms.reviewer:
manager: dansimp
---
# CallAndMessagingEnhancement (Windows Configuration Designer reference)
Use to configure call origin and blocking apps.
>[!IMPORTANT]
>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
## Applies to
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| [BlockingApp](#blockingapp) | | ✔️ | | | |
| [CallOriginApp](#calloriginapp) | | ✔️ | | | |
## BlockingApp
| Setting | Value | Description |
| --- | --- | --- |
| ActiveBlockingAppUserModelId | AUMID | The AUMID of the application that will be set as the active blocking app by default. |
| DefaultBlockingAppUserModelId | AUMID | The AUMID of the application that the OS will select as the active blocking app if the user uninstalls the current active blocking app. This app should be uninstallable. |
## CallOriginApp
| Setting | Value | Description |
| --- | --- | --- |
| ActiveCallOriginAppUserModelId | AUMID | The AUMID of the application to be set as the active call origin provider app by default. |
| DefaultCallOriginAppUserModelId | AUMID | The AUMID of the application that the OS will select as the active call origin provider app if the user uninstalls the current active call origin app. This app should be uninstallable. |

213
windows/configuration/wcd/wcd-calling.md
View File

@ -1,213 +0,0 @@
---
title: Calling (Windows 10)
description: This section describes the Calling settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
ms.date: 04/30/2018
ms.reviewer:
manager: dansimp
---
# Calling (Windows Configuration Designer reference)
Use to configure settings for Calling.
>[!IMPORTANT]
>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
## Applies to
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | | ✔️ | | | |
## Branding
See [Branding for phone calls](/windows-hardware/customize/mobile/mcsf/branding-for-phone-calls).
## CallIDMatchOverrides
Enter a GEOID, select **Add**, and then enter the number of digits for matching caller ID.
For a list of GEOID codes and default number of digits for each country/region, see [Overriding the OS default minimu number of digits for caller ID matching](/windows-hardware/customize/mobile/mcsf/caller-id-matching#a-href-idoverriding-os-default-min-number-digitsaoverriding-the-os-default-minimum-number-of-digits-for-caller-id-matching).
## CauseCodeRegistrationTable
See [Cause codes](/windows-hardware/customize/mobile/mcsf/cause-codes).
## CDMAHeuristics
CDMA Heuristics (on by default) makes CDMA calling more user-friendly by exposing an interface that supports multiple calls with call waiting, swapping, and three-way calling.
For **CDMAPriorityCallPrefix**, enter a custom call prefix that would allow the user to override an ongoing call with a remote party mostly used in emergency services and law enforcement.
Set **DisableCdmaHeuristics** to **True** to disable the built-in heuristics.
## PartnerAppSupport
See [Dialer codes to launch diagnostic applications](/windows-hardware/customize/mobile/mcsf/dialer-codes-to-launch-diagnostic-applications).
## PerSimSettings
Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, select **Add**, and then configure the following settings.
### Critical
Setting | Description
--- | ---
MOSimFallbackVoicemailNumber | Partners who do not have the voicemail numbers on the device SIM can configure the voicemail number for their devices. If the voicemail number is not on the SIM and the registry key is not set, the default voicemail will not be set and the user will need to set the number. Set MOSimFallbackVoicemailNumber to the voicemail number that you want to use for the phone.
SimOverrideVoicemailNumber | Mobile operators can override the voicemail number on the UICC with a different voicemail number that is configured in the registry. Set SimOverrideVoicemailNumber to a string that contains the digits of the voicemail number to use instead of the voicemail number on the UICC.
### General
Setting | Description
--- | ---
AllowMixedAudioVideoConferencing | Set as **True** to enable audio and video calls in the same conference.
AllowVideoConferencing | Set as **True** to enable the ability to conference video calls.
AutoDismissUssedWaitingDialog | Set as **True** to enable automatic dismissal of "Waiting" dialog on USSD session termination.
CallerIdBlockingPrefixList | Enter a list of prefixes which will not see the caller ID. Use a semicolon (;) as a delimiter.
DefaultCallerIdSetting | Configure the default setting for caller ID. Select between `No one`, `Only contacts`, `Every one`, and `Network default`. If set to `Network default`, set `ShowCallerIdNetworkDefaultSetting` to **True**.
DefaultEnableVideoCalling | Set as **True** to enable LTE video calling as the default setting.
DefaultEnableVideoCapability | Set as **True** to enable LTE video capability sharing as the default setting.
EnableSupplementaryServiceEraseToDeactivateOverride | Enables conversion of supplementary service erase commands to deactivate commands.
IgnoreCallerIdBlockingPrefix | DO NOT USE
IgnoreMWINotifications | Set as **True** to configure the voicemail system so the phone ignores message waiting indicator (MWI) notifications.
IgnoreProhibitedDialingPrefix | Ignore prohibited dialing prefix. An OEM/MO can specify a certain set of strings by region that when dialed will block a user's caller ID from being displayed on the device receiving the call. The list is separated by semicolon. This setting does not apply beyond Windows 10, version 1709.
IgnoreUssdExclusions | Set as **True** to ignore Unstructured Supplementary Service Data (USSD) exclusions.
ProhibitedDialingPrefixList | A semicolon delimited list of previxes that are prohibited from being dialed.
ResetCallForwarding | When set to **True**, user is provided with an option to retry call forwarding settings query.
ShowCallerIdNetworkDefaultSetting | Indicates whether the network default setting can be allowed for outgoing caller ID.
ShowVideoCallingSwitch | Use to specify whether to show the video capability sharing switch on the mobile device's Settings screen.
ShowVideoCapabilitySwitch | Configure the phone settings to show the video capability sharing switch.
SupressVideoCallingChargesDialog | Configure the phone settings CPL to suppress the video calling charges dialog.
UssdExclusionList | List used to exclude predefined USSD entries, allowing the number to be sent as standard DTMF tones instead. Set UssdExclusionList to the list of desired exclusions, separated by semicolons. For example, setting the value to 66;330 will override 66 and 330. Leading zeros are specified by using F. For example, to override code 079, set the value to F79. If you set UssdExclusionList, you must set IgnoreUssdExclusions as well. Otherwise, the list will be ignored. See [List of USSD codes](#list-of-ussd-codes) for values.
WiFiCallingOperatorName | Enter the operator name to be shown when the phone is using WiFi calling. If you don't set a value for WiFiCallingOperatorName, the device will always display **SIMServiceProviderName Wi-Fi**, where *SIMServiceProviderName* is a string that corresponds to the SPN for the SIM on the device. If the service provider name in the SIM is not set, only **Wi-Fi** will be displayed.
### HDAudio
To customize call progress branding when a call is made using a specific audio codec, select the audio codec from the dropdown menu and select **Add**. Select the codec in **Available Customizations** and then enter a text string (up to 10 characters) to be used for call progress branding for calls using that codec. For more information, see [Use HD audio codec for call branding](/windows-hardware/customize/mobile/mcsf/use-hd-audio-codec-for-call-branding).
### IMSSubscriptionUpdate
These are Verizon/Sprint-only settings to allow the operator to send an OMA-DM update to the device with the given alert characteristics, which are defined between the mobile operator and OEM, which in turn will inform the device to turn on or off IMS.
### RoamingNumberOverrides
See [Dial string overrides when roaming](/windows-hardware/customize/mobile/mcsf/dial-string-overrides-when-roaming).
## PhoneSettings
Setting | Description
--- | ---
AdjustCDMACallTime | Change the calculation of CDMA call duration to exclude the time before the call connects.
AssistedDialSetting | Turn off the international assist feature that helps users with the country codes needed for dialing international phone numbers.
CallIDMatch | Sets the number of digits that the OS will try to match against contacts for Caller ID. For any country/region that doesn't exist in the default mapping table, mobile operators can use this legacy CallIDMatch setting to specify the minimum number of digits to use for matching caller ID.
CallRecordingOff | Indicates if call recording is turned off. Users will not see the call recording functionality when this is set to **True**.
ConferenceCallMaximumPartyCount | Enter a number to limit the number of parties that can participate in a conference call.
ContinuousDTMFEnabled | Enable DTMF tone duration for as long as the user presses a dialpad key.
DisableVideoUpgradeStoreNavigation | If there are no compatible video upgrade apps installed, tapping the video upgrade button will launch a dialog that will navigate to the Microsoft Store. If this option is enabled, it will show a dialog that informs the user that no video app is installed, but it will not navigate to the Microsoft Store.
DisableVoicemailPhoneNumberDisplay | Disable the display of the voicemail phone number below the Voicemail label in call progress dialog.
DisplayNoDataMessageDuringCall | Display a message to the user indicating that there is no Internet connectivity during a phone call.
DisplayNumberAsDialed | Display the outgoing number "as dialed" rather than "as connected".
EnableVideoCalling | Set to **True** to enable video calling.
HideCallForwarding | Partners can hide the user option to turn on call forwarding. By default, users can decide whether to turn on call forwarding. Partners can hide this user option so that call forwarding is permanently disabled.
HideSIMSecurityUI | Hide the SIM Security panel from phone Settings.
LowVideoQualityTimeout | Configure the phone timer to automatically drop video when the quality is low, in milliseconds.
MinTimeBetweenCallSwaps | Configure how often the user can swap between two active phone calls, in milliseconds.
PromptVideoCallingCharges | Prompt user for charges associated with video calls.
ShowLongTones | Partners can make a user option visible that makes it possible to toggle between short and long DTMF tones, instead of the default continuous tones. By default, the phone supports Dual-Tone Multi-frequency (DTMF) with continuous tones. Partners can make a user option visible that makes it possible to toggle between short and long tones instead.
UseOKForUssdDialogs | OEMs can change the button label in USSD dialogs from **Close** (the default) to **OK**.
UseVoiceDomainForEmergencyCallBranding | Use voice domain to decide whether to use **Emergency calls only** or **No service** in branding.
VideoCallingChargesMessage | Enter text for the message informing the user about the charges associated with video calls.
VideoCallingChargesTitle | Enter text for the title of the dialog informing the user about the charges associated with video calls.
VideoCallingDescription | Enter text to describe the video calling feature.
VideoCallingLabel | Enter text to describe the video calling toggle.
VideoCapabilityDescription | Enter text to describe the video capability feature.
VideoCapabilityLabel | Enter text to describe the video capability toggle.
VideoTransitionTimeout | Enter the time in milliseconds to check how long the video transition state will remain until the remote party responds. The minimum value is 10000 and the maximum value is 30000.
VoLTEAudioQualityString | Partners can add a string to the call progress screen to indicate if the active call is a high quality voice over LTE (VoLTE). Set the value of VoLTEAudioQualityString to the string that you want to display in the call progress screen to indicate that the call is a VoLTE call. This string is combined with the PLMN so if the string is "VoLTE", the resulting string is "PLMN_String VoLTE". For example, the string displayed in the call progress screen can be "Litware VoLTE" if the PLMN_String is "Litware". The value you specify for VoLTEAudioQualityString must exceed 10 characters.
## PhoneShellUI
Setting | Description
--- | ---
EnableSoftwareProximitySensorMitigation | Enable software proximity sensor mitigation.
## PhoneSmsFilter
Setting | Description
--- | ---
AppId | Enter the app ID for your phone call/SMS filter application.
## SupplementaryServiceCodeOverrides
See [Dialer codes for supplementary services](/windows-hardware/customize/mobile/mcsf/dialer-codes-for-supplementary-services).
## List of USSD codes
Codes | Description | DWORD Value
--- | --- | ---
04 | CHANGEPIN | 000000F4
042 | CHANGEPIN2 | 00000F42
05 | UNBLOCKPIN | 000000F5
052 | UNBLOCKPIN2 | 00000F52
03 | SSCHANGEPASSWORD | 000000F3
75 | EMLPPBASE | 00000075
750 | EMLPPLEVEL0 | 00000750
751 | EMLPPLEVEL1 | 00000751
752 | EMLPPLEVEL2 | 00000752
753 | EMLPPLEVEL3 | 00000753
754 | EMLPPLEVEL4 | 00000754
66 | CALLDEFLECT | 00000066
30 | CALLIDCLIP | 00000030
31 | CALLIDCLIR | 00000031
76 | CALLIDCOLP | 00000076
77 | CALLIDCOLR | 00000077
21 | FWDUNCONDITIONAL | 00000021
67 | FWDBUSY | 00000067
61 | FWDNOREPLY | 00000061
62 | FWDNOTREACHABLE | 00000062
002 | FWDALL | 00000FF2
004 | FWDALLCONDITIONAL | 00000FF4
43 | CALLWAITING | 00000043
360 | UUSALL | 00000360
361 | UUSSERVICE1 | 00000361
362 | UUSSERVICE2 | 00000362
363 | UUSSERVICE3 | 00000363
33 | BARROUT | 00000033
331 | BARROUTINTL | 00000331
332 | BARROUTINTLEXTOHOME | 00000332
35 | BARRIN | 00000035
351 | BARRINROAM | 00000351
330 | BARRALL | 00000330
333 | BARRALLOUT | 00000333
353 | BARRALLIN | 00000353
354 | BARRINCOMINGINTERMEDIATE | 00000354
96 | CALLTRANSFER | 00000096
37 | CALLCOMPLETEBUSY | 00000037
070 | PNP0 | 00000F70
071 | PNP1 | 00000F71
072 | PNP2 | 00000F72
073 | PNP3 | 00000F73
074 | PNP4 | 00000F74
075 | PNP5 | 00000F75
076 | PNP6 | 00000F76
077 | PNP7 | 00000F77
078 | PNP8 | 00000F78
079 | PNP9 | 00000F79
300 | CALLCNAP | 00000300
591 | MSP1 | 00000591
592 | MSP2 | 00000592
593 | MSP3 | 00000593
594 | MSP4 | 00000594

66
windows/configuration/wcd/wcd-deviceinfo.md
View File

@ -1,66 +0,0 @@
---
title: DeviceInfo (Windows 10)
description: This section describes the DeviceInfo settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
ms.date: 09/21/2017
ms.reviewer:
manager: dansimp
---
# DeviceInfo (Windows Configuration Designer reference)
Use to configure settings for DeviceInfo.
>[!IMPORTANT]
>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
## Applies to
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | | ✔️ | | | |
## PhoneMobileOperatorDisplayName
Enter a friendly name for the mobile operator. This string is displayed in the support section of the **Settings > About** screen and in the ringtone list.
## PhoneMobileOperatorName
This setting is used for targeting phone updates. It must contain a code specified by Microsoft that corresponds to the mobile operator. These codes are provided in [Registry values for mobile operator IDs](https://msdn.microsoft.com/library/windows/hardware/dn772250.aspx). For open market phones, in which the mobile operator is not known, use the codes in [Registry values for carrier-unlocked phones](https://msdn.microsoft.com/library/windows/hardware/dn772248.aspx) instead.
This string is not visible to the user.
This setting must not be changed over time even if the user switches SIMs or mobile operators, as updates are always targeted based on the first mobile operator associated with the phone.
The [PhoneManufacturer](/previous-versions/windows/hardware/previsioning-framework/mt138328(v=vs.85)), [PhoneManufacturerModelName](/previous-versions/windows/hardware/previsioning-framework/mt138336(v=vs.85)), and PhoneMobileOperatorName should create a unique Phone-Operator-Pairing (POP).
## PhoneOEMSupportLink
This should be a functional link that starts with http://. The link should be a URL that redirects to the mobile version of the web page. The content in the webpage should reflow to the screen width. This can be achieved by adding the CSS Tag `"@-ms-viewport { width: device-width; }"`.
The default is an empty string (""), which means that a support link will not be displayed to the user.
This setting varies by OEM.
## PhoneSupportLink
This should be a functional link that starts with http://. The link should be a URL that redirects to the mobile version of the web page. The content in the webpage should reflow to the screen width. This can be achieved by adding the CSS Tag `"@-ms-viewport { width: device-width; }"`.
The default is an empty string (""), which means that a support link will not be displayed to the user.
This setting varies by OEM.
## PhoneSupportPhoneNumber
Use to specify the OEM or mobile operator's support contact phone number. The country code is not required. This string is displayed in the About screen in Settings. This setting also corresponds to the Genuine Windows Phone Certificates (GWPC) support number.

33
windows/configuration/wcd/wcd-initialsetup.md
View File

@ -1,33 +0,0 @@
---
title: InitialSetup (Windows 10)
description: This section describes the InitialSetup setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
ms.date: 09/06/2017
ms.reviewer:
manager: dansimp
---
# InitialSetup (Windows Configuration Designer reference)
Use to set the name of the Windows mobile device.
## Applies to
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| DeviceName | | ✔️ | | | |
In **DeviceName**, enter a name for the device. If **DeviceName** is set to an asterisk (*) or is an empty string, a random device name will be generated.
**DeviceName** is a string with a maximum length of 15 bytes of content:
- **DeviceName** can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.
- **DeviceName** cannot use spaces or any of the following characters: { | } ~ [ \ ] ^ ' : ; < = > ? @ ! " # $ % ` ( ) + / . , * &, or contain any spaces.
- **DeviceName** cannot use some non-standard characters, such as emoji.

98
windows/configuration/wcd/wcd-internetexplorer.md
View File

@ -1,98 +0,0 @@
---
title: InternetExplorer (Windows 10)
description: This section describes the InternetExplorer settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
ms.date: 09/06/2017
ms.reviewer:
manager: dansimp
---
# InternetExplorer (Windows Configuration Designer reference)
Use to configure settings related to Internet Explorer.
## Applies to
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| [CustomHTTPHeaders](#customhttpheaders) | | ✔️ | | | |
| [CustomUserAgentString](#customuseragentstring) | | ✔️ | | | |
| DataSaving > [BrowseDataSaver](#browsedatasaver) | | ✔️ | | | |
| DataSaving > [ShowPicturesAutomatically](#showpicturesautomatically) | | ✔️ | | | |
| [FirstRunURL](#firstrunurl) | | ✔️ | | | |
## CustomHTTPHeaders
Configure Microsoft Edge to send custom HTTP headers. These will be sent in addition to the default HTTP headers with all HTTP and HTTPS requests. The header is the portion of the HTTP request that defines the form of the message.
- A maximum of 16 custom headers can be defined.
- Custom headers cannot be used to modify the user agent string.
- Each header must be no more than 1 KB in length.
The following header names are reserved and must not be overwritten:
- Accept
- Accept-Charset
- Accept-Encoding
- Authorization
- Expect
- Host
- If-Match
- If-Modified-Since
- If-None-Match
- If-Range
- If-Unmodified-Since
- Max-Forwards
- Proxy-Authorization
- Range
- Referer
- TE
- USER-AGENT
- X-WAP-PROFILE
1. In **Available customizations**, select **CustomHTTPHeaders**, enter a name, and then click **Add**.
2. In **Available customizations**, select the name that you just created.
3. Enter the custom header.
## CustomUserAgentString
The user agent string indicates which browser you are using, its version number, and details about your system, such as operating system and version. A web server can use this information to provide content that is tailored for your specific browser and phone.
The user agent string for the browser cannot be modified. By default, the string has the following format:
`Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; <Manufacturer>; <Device>) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Mobile Safari/537.36 Edge/12.10166`
- `<Manufacturer>` is automatically replaced with the OEM name. This is the same as the PhoneManufacturer setting value that is set as part of the customization Phone metadata in DeviceTargetingInfo.
- `<Device>` is replaced with the device name or phone name. This is the same as the PhoneModelName setting value that is set as part of the customization Phone metadata in DeviceTargetingInfo.
**Limitations and restrictions:**
- The user agent string for the browser cannot be modified outside of the customizations listed above.
- The user agent type registry setting cannot be modified or used to change the default browser view from Mobile to Desktop.
## BrowseDataSaver
Use to set the browser data saver default setting. **True** turns on the browser data saver feature.
Partners can configure the default setting for the browser data saver feature by turning the browser optimization service (through the BrowserDataSaver setting) on or off.
## ShowPicturesAutomatically
Use to enable or disable whether the **Show pictures automatically** setting is available in Internet Explorer **advanced settings**.
## FirstRunURL
Use to set the home page that appears the first time that Microsoft Edge is opened. This page is only shown the first time the browser is opened. After that, the browser displays either the most recently viewed page or an empty page if the user has closed all tabs or opens a new tab.
Specify the **FirstRunURL** value with a valid link that starts with http://. It is recommended you use a forward link that redirects the user to a localized page.

354
windows/configuration/wcd/wcd-messaging.md
View File

@ -1,354 +0,0 @@
---
title: Messaging (Windows 10)
description: This section describes the Messaging settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
ms.reviewer:
manager: dansimp
---
# Messaging (Windows Configuration Designer reference)
Use for settings related to Messaging and Commercial Mobile Alert System (CMAS).
>[!IMPORTANT]
>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
>[!NOTE]
>CMAS is now known as Wireless Emergency Alerts (WEA).
## Applies to
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | | ✔️ | | | |
## GlobalSettings
### DisplayCmasLifo
Use this setting to change the order in which CMAS alert messages are displayed, from the default first in/first out (FIFO) message order to last in/first out (LIFO) message order.
If the phone receives at least one CMAS alert message which has not been acknowledged by the user, and another CMAS alert message arrives on the phone, partners can configure the order in which the newly received alert messages are displayed on the phone regardless of the service category of the alert. Users will not be able to change the message order once it has been set.
If partners do not specify a value for this customization, the default FIFO display order is used. Users will be able to acknowledge the messages in the reverse order they were received.
When configured as **True**, you set a LIFO message order. When configured as **False**, you set a FIFO message order.
### EnableCustomLineSetupDialog
Enable this setting to allow custom line setup dialogs in the Messaging app.
### ExtractPhoneNumbersInStrings"
Set as **True** to tag any 5-or-more digit number as a tappable phone number.
### ShowSendingStatus
>[!NOTE]
>This setting is removed in Windows 10, version 1709.
Set **ShowSendingStatus** to **True** to display the sending status for SMS/MMS messages.
### VoicemailIntercept
Partners can define a filter that intercepts an incoming SMS message and triggers visual voicemail synchronization. The filtered message does not appear in the users conversation list.
A visual voicemail sync is triggered by an incoming SMS message if the following conditions are met:
- The message sender value starts with the string specified in the SyncSender setting. The length of the specified values must be greater than 3 characters but less than 75 characters.
- The body of the message starts with the string specified in the SyncPrefix setting. The length of the specified values must be greater than 3 characters but less than 75 characters.
- Visual voicemail is configured and enabled. For more information, see [Visual voicemail](https://msdn.microsoft.com/library/windows/hardware/dn790032.aspx).
>[!NOTE]
>These settings are atomic, so both SyncSender and SyncPrefix must be set.
>
>The SyncSender and SyncPrefix values vary for each mobile operator, so you must work with your mobile operators to obtain the correct or required values.
Setting | Description
--- | ---
SyncPrefix | Specify a value for SyncPrefix that is greater than 3 characters but less than 75 characters in length. For networks that support it, this value can be the keyword for the SMS notification.
SyncSender | Specify a value for SyncSender that is greater than 3 characters but less than 75 characters in length. For networks that support it, this value can be a short code of the mailbox server that sends a standard SMS notification.
## PerSimSettings
Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, click **Add**, and then configure the following settings.
### AllowMmsIfDataIsOff
Setting | Description
--- | ---
AllowMmsIfDataIsOff | **True** allows MMS if data is off
AllowMmsIfDataIsOffSupported | **True** shows the toggle for allowing MMS if data is turned off
AllowMmsIfDataIsOffWhileRoaming | **True** allows MMS if data is off while roaming
### AllowSelectAllContacts
>[!NOTE]
>This setting is removed in Windows 10, version 1709, and later.
Set to **True** to show the select all contacts/unselect all menu option to allow users to easily select multiple recipients for an SMS or MMS message. This menu option provides users with an easier way to add multiple recipients and may also meet a mandatory requirement for some mobile operator networks.
### AllowSendingDeliveryReport
Specify whether the phone automatically sends a receipt acknowledgment for MMS messages. Partners can specify whether the phone automatically sends a receipt acknowledgment for MMS messages when they arrive, and they can determine whether users can control the receipt acknowledgments by using the **Send MMS acknowledgment** toggle in **Messaging > settings**. By default, this user setting is visible and turned on.
| Setting | Description |
| --- | --- |
| AllowSendingDeliveryReport | **True** sets the **Send MMS acknowledgment** toggle to **On** |
| AllowSendingDeliveryReportIsSupported | **True** shows the **Send MMS acknowledgment** toggle, and **False** hides the toggle |
### AutomaticallyDownload
Specify whether MMS messages are automatically downloaded.
| Setting | Description |
| --- | --- |
| AutomaticallyDownload | **True** sets the **Automatically download MMS** toggle to **On** |
| ShowAutomaticallyDownloadMMSToggle | **True** shows the **Automatically download MMS** toggle, and **False** hides the toggle |
### DefaultContentLocationUrl
>[!NOTE]
>This setting is removed in Windows 10, version 1709.
For networks that require it, you can specify the default GET path within the MMSC to use when the GET URL is missing from the WAP push MMS notification.
Set **DefaultContentLocationUrl** to specify the default GET path within the MMSC.
### ErrorCodeEnabled
>[!NOTE]
>This setting is removed in Windows 10, version 1709.
You can choose to display additional content in the conversation view when an SMS or MMS message fails to send. This content includes a specific error code in decimal format that the user can report to technical support. Common errors also include a friendly string to help the user self-diagnose and fix the problem.
Set to **True** to display the error message with an explanation of the problem and the decimal-format error codes. When set to **False**, the full error message is not displayed.
### EmergencyAlertOptions
Configure settings for CMAS alerts.
Setting | Description
--- | ---
CmasAMBERAlertEnabled | **True** enables the device to receive AMBER alerts
CmasExtremeAlertEnabled | **True** enables the device to receive extreme alerts
CmasSevereAlertEnabled | **True** enables the device to receive severe alerts
EmOperatorEnabled | Select which Emergency Alerts Settings page is displayed from dropdown menu
EtwsSoundEnabled | Set to **True** to play Earthquake & Tsunami Warning System (ETWS) sound during alert.
SevereAlertDependentOnExtremeAlert | When set as **True**, the CMAS-Extreme alert option must be on to modify CMAS-Severe alert option
### General
Setting | Description
--- | ---
AllowSelectAllContacts | Set to **True** to show the **select all contacts/unselect all** menu option to allow users to easily select multiple recipients for an SMS or MMS message. This menu option provides users with an easier way to add multiple recipients and may also meet a mandatory requirement for some mobile operator networks.
AllowSMStoSMTPAddress | Allow SMS to SMTP address.
AssistedDialingMcc | By setting AssistedDialingMcc and AssistedDialingMnc, international assisted dialing will be enabled for SMS if the user setting for international assisted dialing is enabled. Enter the Mobile Country Code (MCC) to use for sending SMS.
AssistedDialingMnc | By setting AssistedDialingMcc and AssistedDialingMnc, international assisted dialing will be enabled for SMS if the user setting for international assisted dialing is enabled. Enter the Mobile Network Code (MNC) to use for sending SMS.
AssistedDialingPlusCodeSupportOverride | For devices that support IMS over SMS, you can override support for the assisted dialing plus (+) code for SMS by setting AssistedDialingPlusCodeSupportOverride. If enabled, the OS will not convert the plus (+) code to the proper assisted number when the user turns on the dialing assist option.
AutoRetryDownload | You can configure the messaging app to automatically retry downloading an MMS message if the initial download attempt fails. When this customization is enabled, the download is retried 3 times at 20-, 40-, and 60-second intervals.
BroadcastChannels | You can specify one or more ports from which the device will accept cellular broadcast messages. Set the BroadcastChannels value to the port number(s) that can accept cellular broadcast messages.
ConvertLongSMStoMMS | For networks that do support MMS and do not support segmentation of SMS messages, you can specify an automatic switch from SMS to MMS for long messages.
DefaultContentLocationUrl | For networks that require it, you can specify the default GET path within the MMSC to use when the GET URL is missing from the WAP push MMS notification. Set DefaultContentLocationUrl to specify the default GET path within the MMSC.
EarthquakeMessageString | To override the Primary Earthquake default message, specify the EarthquakeMessageString setting value. This string will be used regardless of what language is set on the device.
EarthquakeTsunamiMessageString| To override the Primary Tsunami and Earthquake default message, specify the EarthquakeTsunamiMessageString setting value. This string will be used regardless of what language is set on the device.
ErrorCodeEnabled | You can choose to display additional content in the conversation view when an SMS or MMS message fails to send. This content includes a specific error code in decimal format that the user can report to technical support. Common errors also include a friendly string to help the user self-diagnose and fix the problem. Set to **True** to display the error message with an explanation of the problem and the decimal-format error codes. When set to **False**, the full error message is not displayed.
EtwsSoundFileName | Set the value to the name of a sound file.
HideMediumSIPopups | By default, when a service indication message is received with a signal-medium or signal-high setting, the phone interrupts and shows the user prompt for these messages. However, you can hide the user prompts for signal-medium messages.
ImsiAuthenticationToken | Configure whether MMS messages include the IMSI in the GET and POST header. Set ImsiAuthenticationToken to the token used as the header for authentication. The string value should match the IMSI provided by the UICC.
LimitRecipients | Set the maximum number of recipients to which a single SMS or MMS message can be sent. Enter a number between 1 and 500 to limit the maximum number of recipients.
MaxRetryCount | You can specify the number of times that the phone can retry sending the failed MMS message and photo before the user receives a notification that the photo could not be sent. Specify MaxRetryCount to specify the number of times the MMS transport will attempt resending the MMS message. This value has a maximum limit of 3.
MMSLimitAttachments | You can specify the maximum number of attachments for MMS messages, from 1 to 20. The default is 5.
NIInfoEnabled | NIInfoEnabled
ProxyAuthorizationToken | See [Proxy authorization for MMS.](/windows-hardware/customize/mobile/mcsf/proxy-authorization-for-mms)
RetrySize | For MMS messages that have photo attachments and that fail to send, you can choose to automatically resize the photo and attempt to resend the message. Specify the maximum size to use to resize the photo in KB. Minimum is 0xA (10 KB).
SetCacheControlNoTransform | When set, proxies and transcoders are instructed not to change the HTTP header and the content should not be modified. A value of 1 or 0x1 adds support for the HTTP header Cache-Control No-Transform directive. When the SetCacheControlNoTransform``Value is set to 0 or 0x0 or when the setting is not set, the default HTTP header Cache-Control No-Cache directive is used.
ShowRequiredMonthlyTest | **True** enables devices to receive CMAS Required Monthly Test (RMT) messages and have these show up on the device. **False** disables devices from receiving CMAS RMT messages.
SIProtocols | Additional supported service indication protocol name.
SmscPanelDisabled | **True** disables the short message service center (SMSC) panel.
SMStoSMTPShortCode | Use to configure SMS messages to be sent to email addresses and phone numbers. `0` disables sending SMS messages to SMTP addresses. `1` enables sending SMS messages to SMTP addresses.
TargetVideoFormat | You can specify the transcoding to use for video files sent as attachments in MMS messages. Set TargetVideoFormat to one of the following values to configure the default transcoding for video files sent as attachments in MMS messages:</br></br>- 0 or 0x0 Sets the transcoding to H.264 + AAC + MP4. This is the default set by the OS.</br>- 1 or 0x1 Sets the transcoding to H.264 + AAC + 3GP.</br>- 2 or 0x2 Sets the transcoding to H.263 + AMR.NB + 3GP.</br>- 3 or 0x3 Sets the transcoding to MPEG4 + AMR.NB + 3GP.
TsunamiMessageString | To override the Primary Tsunami default message, specify the TsunamiMessageString setting value. This string will be used regardless of what language is set on the device.
UAProf | You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phones hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC. There are two ways to correlate a user agent profile with a given phone:</br></br>- You can take the user agent string of the phone that is sent with MMS requests and use it as a hash to map to the user agent profile on the MMSC. The user agent string cannot be modified.</br>- Alternatively, you can directly set the URI of the user agent profile on the phone.</br></br>Set UAProf to the full URI of your user agent profile file. Optionally, you can also specify the custom user agent property name for MMS that is sent in the header by setting UAProfToken to either `x-wap-profile` or `profile`.
UAProfToken | You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phones hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
UseDefaultAddress | By default, the MMS transport sends an acknowledgement to the provisioned MMS application server (MMSC). However, on some networks, the correct server to use is sent as a URL in the MMS message. In that case, a registry key must be set, or else the acknowledgement will not be received and the server will continue to send duplicate messages. **True** enables some networks to correctly acknowledge MMS messages. **False** disables the feature.
UseInsertAddressToken | Use insert address token or local raw address.
UserAgentString | Set UserAgentString to the new user agent string for MMS in its entirely. By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber WindowsPhoneOS/OSVersion-buildNumber OEM-deviceName, in which the italicized text is replaced with the appropriate values for the phone.
UseUTF8ForUnspecifiedCharset | Some incoming MMS messages may not specify a character encoding. To properly decode MMS messages that do not specify a character encoding, you can set UTF-8 to decode the message.
WapPushTechnology | For networks that require non-standard handling of single-segment incoming MMS WAP Push notifications, you can specify that MMS messages may have some of their content truncated and that they may require special handling to reconstruct truncated field values. `1` or `0x1` enables MMS messages to have some of their content truncated. `0` or `0x0` disables MMS messages from being truncated
## ImsiAuthenticationToken
>[!NOTE]
>This setting is removed in Windows 10, version 1709.
Configure whether MMS messages include the IMSI in the GET and POST header.
Set **ImsiAuthenticationToken** to the token used as the header for authentication. The string value should match the IMSI provided by the UICC.
### LatAlertOptions
Enable `LatLocalAlertEnabled` to enable support for LAT-Alert Local Alerts for devices sold in Chile. For more information, see [Emergency notifications](/windows-hardware/customize/mobile/mcsf/emergency-notifications).
### MaxRetryCount
>[!NOTE]
>This setting is removed in Windows 10, version 1709.
You can specify the number of times that the phone can retry sending the failed MMS message and photo before the user receives a notification that the photo could not be sent.
Specify MaxRetryCount to specify the number of times the MMS transport will attempt resending the MMS message. This value has a maximum limit of 3.
### MMSGroupText
Set options for group messages sent to multiple people.
Setting | Description
--- | ---
MMSGroupText | **True** enables group messages to multiple people sent as MMS.
ShowMMSGroupTextUI | **True** shows the toggle for group text in messaging settings.
ShowMmsGroupTextWarning | **True** shows the warning that alerts users of possible additional charges before sending a group text as MMS.
### NIAlertOptions
Enable `NI2AlertEnabled` to enable support for the Netherlands Announcements for devices sold in the Netherlands. For more information, see [Emergency notifications](/windows-hardware/customize/mobile/mcsf/emergency-notifications).
### RcsOptions
Set options for Rich Communications Services (RCS).
| Setting | Description |
| --- | --- |
RcsAllowLeaveClosedGroupChats | Whether or not to allow users to leave closed group chats.
| RcsEnabled | Toggle to enable/disable RCS service. Set to **True** to enable. |
| RcsFileTransferAutoAccept | Set to **True** to auto-accept RCS incoming file transfer if the file size is less than warning file size.|
RcsFiletransferAutoAcceptWhileRoaming | Auto-accept RCS incoming file transfer when the file size is less than the warning file size while roaming.
RcsGroupChatCreationMode | The mode used to create new RCS group chats.
RcsGroupChatCreationgThreadingMode | The mode used to thread newly created RCS group chats.
| RcsSendReadReceipt | Set to **True** to send read receipt to the sender when a message is read. |
RcsTimeWindowsAfterSelfLeave | After RCS receives a self-left message, it will ignore messages during this time (in milliseconds), except self-join.
| ShowRcsEnabled | Set to **True** to show the toggle for RCS activation. |
### RequestDeliveryReport
Set options related to MMS message notifications. You can specify whether users receive notification that MMS messages could not be delivered, and determine whether users can control this by using the MMS delivery confirmation toggle in **Messaging > settings**. By default, this user setting is visible but turned off.
| Setting | Description |
| --- | --- |
| RequestDeliveryReport | Set to **True** to set the default value to on. |
| RequestDeliveryReportIsSupported | **True** shows the toggle for MMS delivery confirmation, and **False** hides the toggle. |
### SMSDeliveryNotify
Setting | Description
--- | ---
DeliveryNotifySupported | Set to **True** to enable SMS delivery confirmation.
SMSDeliveryNotify | Set to **True** to toggle SMS delivery confirmation.
### TargetVideoFormat
>[!NOTE]
>This setting is removed in Windows 10, version 1709.
You can specify the transcoding to use for video files sent as attachments in MMS messages.
Set TargetVideoFormat to one of the following values to configure the default transcoding for video files sent as attachments in MMS messages:
| Value | Description |
| --- | --- |
| 0 or 0x0 | Sets the transcoding to H.264 + AAC + MP4. This is the default set by the OS. |
| 1 or 0x1 | Sets the transcoding to H.264 + AAC + 3GP. |
| 2 or 0x2 | Sets the transcoding to H.263 + AMR.NB + 3GP. |
| 3 or 0x3 | Sets the transcoding to MPEG4 + AMR.NB + 3GP. |
### TaiwanAlertOptions
Set options for Taiwan Emergency Alerts system. For more information, see [Emergency notifications](/windows-hardware/customize/mobile/mcsf/emergency-notifications#taiwan-alerts).
Setting | Description
--- | ---
TaiwanAlertEnabled | Receive Taiwan alerts.
TaiwanEmergencyAlertEnabled | Receive Taiwan emergency alerts.
TaiwanPresidentialAlertEnabled | Receive alerts from the Leader of the Taiwan Area.
TaiwanRequiredMonthlytestEnabled | Receive Taiwan Required Monthly Test alerts.
### UAProf
>[!NOTE]
>This setting is removed in Windows 10, version 1709.
You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phones hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
There are two ways to correlate a user agent profile with a given phone:
- You can take the user agent string of the phone that is sent with MMS requests and use it as a hash to map to the user agent profile on the MMSC. The user agent string cannot be modified.
- Alternatively, you can directly set the URI of the user agent profile on the phone.
Set **UAProf** to the full URI of your user agent profile file. Optionally, you can also specify the custom user agent property name for MMS that is sent in the header by setting **UAProfToken** to either `x-wap-profile` or `profile`.
### UAProfToken
>[!NOTE]
>This setting is removed in Windows 10, version 1709.
You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phones hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
Optionally, in addition to specifying **UAProf**, you can also specify the custom user agent property name for MMS that is sent in the header by setting **UAProfToken** to either `x-wap-profile` or `profile`.
### UserAgentString
>[!NOTE]
>This setting is removed in Windows 10, version 1709.
Set **UserAgentString** to the new user agent string for MMS in its entirely.
By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber WindowsPhoneOS/OSVersion-buildNumber OEM-deviceName, in which the italicized text is replaced with the appropriate values for the phone.
### w4
| Setting | Description |
| --- | --- |
| ADDR | Specify the absolute MMSC URL. The possible values to configure the ADDR parameter are:</br></br>- A Uniform Resource Identifier (URI)</br>- An IPv4 address represented in decimal format with dots as delimiters</br>- A fully qualified Internet domain name |
| APPID | Set to `w4`. |
| MS | (optional) Specify the maximum size of MMS, in KB. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized. |
| NAME | (optional) Enter userreadable application identity. This parameter is also used to define part of the registry path for the APPLICATION parameters. The possible values to configure the **NAME** parameter are:</br></br>- Character string containing the name</br>- no value specified</br></br>If no value is specified, the registry location will default to `<unnamed>`. If **NAME** is greater than 40 characters, it will be truncated to 40 characters. |
| TONAPID | Specify the network access point identification name (NAPID) defined in the provisioning file. This parameter takes a string value. It is only possible to refer to network access points defined within the same provisioning file (except if the INTERNET attribute is set in the NAPDEF characteristic). For more information about the NAPDEF characteristic, see [NAPDEF configuration service provider](/windows/client-management/mdm/napdef-csp). |
| TOPROXY | Specify one logical proxy with a matching PROXY-ID. It is only possible to refer to proxies defined within the same provisioning file. Only one proxy can be listed. The TO-PROXY value must be set to the value of the PROXY ID in PXLOGICAL that defines the MMS specific-proxy. |
### WapPushTechnology
>[!NOTE]
>These settings are removed in Windows 10, version 1709.
For networks that require non-standard handling of single-segment incoming MMS WAP Push notifications, you can specify that MMS messages may have some of their content truncated and that they may require special handling to reconstruct truncated field values.
| Value | Description |
| --- | --- |
| 1 or 0x1 | Enables MMS messages to have some of their content truncated. |
| 0 or 0x0 | Disables MMS messages from being truncated. |
## Related topics
- [Customizations for SMS and MMS](/windows-hardware/customize/mobile/mcsf/customizations-for-sms-and-mms)

24
windows/configuration/wcd/wcd-modemconfigurations.md
View File

@ -1,24 +0,0 @@
---
title: ModemConfiguration (Windows 10)
description: This section describes the ModemConfiguration settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
ms.reviewer:
manager: dansimp
---
# ModemConfiguration (Windows Configuration Designer reference)
ModemConfiguration settings are removed in Windows 10, version 1709.
## Applies to
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | | ✔️ | | | |

25
windows/configuration/wcd/wcd-multivariant.md
View File

@ -1,25 +0,0 @@
---
title: Multivariant (Windows 10)
description: This section describes the Multivariant settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
ms.reviewer:
manager: dansimp
---
# Multivariant (Windows Configuration Designer reference)
Use to select a default profile for mobile devices that have multivariant configurations.
## Applies to
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| DefaultProfile | | ✔️ | | | |
If you will be adding [multivariant settings](../provisioning-packages/provisioning-multivariant.md) to your provisioning package, you can use the **DefaultProfile** setting to specify which variant should be applied by default if OOBE is skipped. In the **DefaultProfile** field, enter the UINAME from your customizations.xml that you want to use as default.

31
windows/configuration/wcd/wcd-nfc.md
View File

@ -1,31 +0,0 @@
---
title: NFC (Windows 10)
description: This section describes the NFC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
ms.reviewer:
manager: dansimp
---
# NFC (Windows Configuration Designer reference)
Use to configure settings related to near field communications (NFC) subsystem.
## Applies to
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | | ✔️ | | | |
Expand **NFC** > **SEMgr** > **UI**. The following table describes the settings you can configure.
| Setting | Description |
| --- | --- |
| CardEmulationState | Configure the default state of **Tap to pay**. Select between **OFF**, **When Phone Unlocked**, **When Screen On**, and **Anytime**. |
| DefaultFastCardSetting | Configure the default fast card usage for NFC payments. Select between **When Phone Unlocked**, **When Screen On**, and **Anytime**. |
| HideFastCardsOption | Show or hide the fast cards options drop-down menu in the **NFC** > **Tap to pay** control panel. |

30
windows/configuration/wcd/wcd-otherassets.md
View File

@ -1,30 +0,0 @@
---
title: OtherAssets (Windows 10)
description: This section describes the OtherAssets settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
ms.date: 09/06/2017
ms.reviewer:
manager: dansimp
---
# OtherAssets (Windows Configuration Designer reference)
Use to configure settings for Map data.
## Applies to
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| MapData | | ✔️ | | | |
Use **MapData** to specify the source directory location of the map region you want to include.
For example, if C:\Path\Maps\Europe contains the downloaded map data that you want to preload, set the value to that directory.
To add additional maps, add a new MapData setting and set the source to the directory location of the map region you want to include.

1
windows/configuration/wcd/wcd-policies.md
View File

@ -196,7 +196,6 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star
| [AllowEmailScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | ✔️ | | | | |
| [AllowFullScanOnMappedNetworkDrives](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | ✔️ | | | | |
| [AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | ✔️ | | | | |
| [AllowIntrusionPreventionSystem](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | ✔️ | | | | |
| [AllowIOAVProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | ✔️ | | | | |
| [AllowOnAccessProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | ✔️ | | | | |
| [AllowRealtimeMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | ✔️ | | | | |

2
windows/configuration/wcd/wcd-privacy.md
View File

@ -19,7 +19,7 @@ Use **Privacy** to configure settings for app activation with voice.
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | X | X | X | | X |
| All settings | ✔️ | ✔️ | ✔️ | | ✔️ |
## LetAppsActivateWithVoice

2
windows/configuration/wcd/wcd-provisioningcommands.md
View File

@ -21,7 +21,7 @@ Use ProvisioningCommands settings to install Windows desktop applications using
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | X | | | | |
| All settings | ✔️ | | | | |
For instructions on adding apps to provisioning packages, see [Provision PCs with apps](../provisioning-packages/provision-pcs-with-apps.md).

32
windows/configuration/wcd/wcd-rcspresence.md
View File

@ -1,32 +0,0 @@
---
title: RcsPresence (Windows 10)
description: This section describes the RcsPresence settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
ms.date: 04/30/2018
ms.reviewer:
manager: dansimp
---
# RcsPresence (Windows Configuration Designer reference)
Use these settings to configure RcsPresence.
## Applies to
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | | X | | | |
Setting | Description
--- | ---
BypassvideoCapabilities | Do not use.
MaxWaitForCapabilitiesRequestInSeconds | Maximum number of seconds to wait for a Capabilities Request to complete.
MinAvailabilityCacheInSeconds | Number of seconds to cache result of Capabilities Request per each number, to avoid excessive network requests.

20
windows/configuration/wcd/wcd-sharedpc.md
View File

@ -22,7 +22,7 @@ Use SharedPC settings to optimize Windows 10 for shared use scenarios, such as t
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | X | | | | |
| All settings | ✔️ | | | | |
## AccountManagement
@ -30,19 +30,19 @@ Use these settings to configure settings for accounts allowed on the shared PC.
| Setting | Value | Description |
| --- | --- | --- |
| AccountModel | - Only guest</br>- Domain-joined only</br>- Domain-joined and guest | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC. </br></br>- Only guest allows anyone to use the PC as a local standard (non-admin) account.</br>- Domain-joined only allows users to sign in with an Active Directory or Azure AD account.</br>- Domain-joined and guest allows users to sign in with an Active Directory, Azure AD, or local standard account. |
| DeletionPolicy | - Delete immediately </br>- Delete at disk space threshold</br>- Delete at disk space threshold and inactive threshold | - Delete immediately will delete the account on sign-out.</br>- Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for DiskLevelDeletion, and it will stop deleting accounts when the available disk space reaches the threshold you set for DiskLevelCaching. Accounts are deleted in order of oldest accessed to most recently accessed.</br>- Delete at disk space threshold and inactive threshold will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by InactiveThreshold |
| AccountModel | - Only guest</br>- Domain-joined only</br>- Domain-joined and guest | This option controls how users can sign in on the PC. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign in screen and enable anonymous guest access to the PC. </br></br>- Only guest allows anyone to use the PC as a local standard (non-admin) account.</br>- Domain-joined only allows users to sign in with an Active Directory or Azure AD account.</br>- Domain-joined and guest allows users to sign in with an Active Directory, Azure AD, or local standard account. |
| DeletionPolicy | - Delete immediately </br>- Delete at disk space threshold</br>- Delete at disk space threshold and inactive threshold | - **Delete immediately** deletes the account on sign out.</br>- **Delete at disk space threshold** starts deleting accounts when available disk space falls below the threshold you set for `DiskLevelDeletion`. It stops deleting accounts when the available disk space reaches the threshold you set for `DiskLevelCaching`. Accounts are deleted in order of oldest accessed to most recently accessed.</br>- **Delete at disk space threshold and inactive threshold** applies the same disk space checks as noted above. It also deletes accounts if they haven't signed in within the number of days in `InactiveThreshold`. |
| DiskLevelCaching | A number between 0 and 100 | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. |
| DiskLevelDeletion | A number between 0 and 100 | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. |
| EnableAccountManager | True or false | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. |
| InactiveThreshold | Number | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted. |
| KioskModeAUMID | String | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign-in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. Note that the app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](/previous-versions/windows/embedded/dn449300(v=winembedded.82)) |
| EnableAccountManager | True or false | Set as **True** to enable automatic account management. When set to **False**, no automatic account management will be done. |
| InactiveThreshold | Number | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that hasn't signed in will be deleted. |
| KioskModeAUMID | String | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. The app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](/previous-versions/windows/embedded/dn449300(v=winembedded.82)) |
| KioskModeUserTileDisplayText | String | Sets the display text on the kiosk account if **KioskModeAUMID** has been set. |
## EnableSharedPCMode
Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings).
Set as **True**. When set to **False**, shared PC mode isn't turned on and none of the other settings apply. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings).
Some of the remaining settings in SharedPC are optional, but we strongly recommend that you also set **EnableAccountManager** to **True**.
@ -53,13 +53,13 @@ Use these settings to configure policies for shared PC mode.
| Setting | Value | Description |
| --- | --- | --- |
| MaintenanceStartTime | A number between 0 and 1440 | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. |
| MaxPageFileSizeMB | A number between 1024 and 2048 | Adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs. |
| MaxPageFileSizeMB | A number between 1024 and 2048 | Adjusts the maximum page file size in MB. This setting can be used to fine-tune page file behavior, especially on low end PCs. |
| RestrictLocalStorage | True or false | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](/uwp/api/windows.system.profile.sharedmodesettings) |
| SetEduPolicies | True or false | Set to **True** for PCs that will be used in a school. For more information, see [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) |
| SetPowerPolicies | True or false | When set as **True**:</br></br>- Prevents users from changing power settings</br>- Turns off hibernate</br>- Overrides all power state transitions to sleep (e.g. lid close) |
| SetPowerPolicies | True or false | When set as **True**:</br></br>- Prevents users from changing power settings</br>- Turns off hibernate</br>- Overrides all power state transitions to sleep, such as a lid close. |
| SignInOnResume | True or false | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. |
| SleepTimeout | Number | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
## Related topics
## Related articles
- [Set up shared or guest PC](../set-up-shared-or-guest-pc.md)

26
windows/configuration/wcd/wcd-shell.md
View File

@ -1,26 +0,0 @@
---
title: Shell (Windows 10)
description: This section describes the Shell settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
ms.date: 09/06/2017
ms.reviewer:
manager: dansimp
---
# Shell (Windows Configuration Designer reference)
Do not use. Use [Start > StartLayout](wcd-start.md#startlayout)
## Applies to
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | | X | | | |

32
windows/configuration/wcd/wcd-smisettings.md
View File

@ -21,19 +21,19 @@ Use SMISettings settings to customize the device with custom shell, suppress Win
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | X | | | | |
| All settings | ✔️ | | | | |
## All settings in SMISettings
The following table describes the settings in SMISettings. Some settings have additional details in sections after the table.
The following table describes the settings in SMISettings. Some settings have more details in sections after the table.
| Setting | Value | Description |
| --- | --- | --- |
| AutoLogon | Enable</br>Domain name</br>Password</br>UserName | Allows automatic sign-in at startup so that the user does not need to enter a user name and password. |
| AutoLogon | Enable</br>Domain name</br>Password</br>UserName | Allows automatic sign-in at startup. Users don't need to enter a user name and password. |
| BrandingNeutral | See [BrandingNeutral values](#brandingneutral-values) | Specifies which UI elements display on the Welcome screen. |
| CrashDumpEnabled | See [CrashDumpEnabled values](#crashdumpenabled-values) | Specifies the type of information to be saved in the event of a crash. |
| CrashDumpEnabled | See [CrashDumpEnabled values](#crashdumpenabled-values) | Specifies the type of information to be saved if there's a crash. |
| DisableBootMenu | True or false | Disables the F8 and F10 keys during startup to prevent access to the **Advanced Startup Options** menu. |
| DisplayDisabled | True or false | Configures the device to display a blank screen when the OS encounters an error that it cannot recover from. |
| DisplayDisabled | True or false | Configures the device to display a blank screen if the OS has an error that it can't recover from. |
| HideAllBootUI | True or false | Suppresses all Windows UI elements (logo, status indicator, and status message) during startup. |
| HideAutologonUI | True or false | Hides the Welcome screen when automatic sign-in (AutoLogon) is enabled. |
| HideBootLogo | True or false | Suppresses the default Windows logo that displays during the OS loading phase. |
@ -43,7 +43,7 @@ The following table describes the settings in SMISettings. Some settings have ad
| KeyboardFilter | See [KeyboardFilter settings](#keyboardfilter-settings) | Use these settings to configure devices to suppress key presses or key combinations. |
| NoLockScreen | True or false | Disables the lock screen functionality and UI elements |
| ShellLauncher | See [ShellLauncher settings](#shelllauncher-settings) | Settings used to specify the application or executable to use as the default custom shell. |
| UIVerbosityLevel | Suppress or do not suppress | Disables the Windows status messages during device startup, sign-in, and shut down. |
| UIVerbosityLevel | Suppress or don't suppress | Disables the Windows status messages during device startup, sign-in, and shut down. |
## BrandingNeutral values
@ -58,11 +58,11 @@ The default value is **17**, which disables all Welcome screen UI elements and t
| 4 | Disables the Language button |
| 8 | Disables the Ease of access button |
| 16 | Disables the Switch user button |
| 32 | Disables the blocked shutdown resolver (BSDR) screen so that restarting or shutting down the system causes the OS to immediately force close any applications that are blocking system shut down. No UI is displayed and users are not given a chance to cancel the shutdown process. This can result in a loss of data if any open applications have unsaved data. |
| 32 | Disables the blocked shutdown resolver (BSDR) screen. Restarting or shutting down the system causes the OS to immediately force close any applications that are blocking the system shutdown. No UI is displayed, and users aren't given a chance to cancel the shutdown process. This value can result in a loss of data if any open applications have unsaved data. |
## CrashDumpEnabled values
Contains an integer that specifies the type of information to capture in a dump (.dmp) file that is generated when the system stops unexpectedly.
If the system stops unexpectedly, choose the type of information to capture in a dump (.dmp) file.
The .dmp file is typically saved in %SystemRoot% as Memory.dmp.
@ -71,22 +71,22 @@ Set CrashDumpEnabled to one of the following values:
| Value | Description |
| --- | --- |
| 1 | Records all the contents of system memory. This dump file may contain data from processes that were running when the information was collected. |
| 2 | Records only the kernel memory. This dump file includes only memory that is allocated to the kernel, kernel-mode drivers, and other kernel-mode programs. It does not include unallocated memory or any memory that is allocated to user-mode programs.</br></br>For most purposes, this kind of dump file is the most useful because it is significantly smaller than the complete memory dump file, but it contains information that is most likely to have been involved in the issue.</br></br>If a second problem occurs, the dump file is overwritten with new information. |
| 3 | Records the smallest amount of useful information that may help identify why the device stopped unexpectedly. This type of dump file includes the following information:</br></br>- A list of loaded drivers</br></br>- The processor context (PRCB) for the processor that stopped</br></br>- The process information and kernel context (EPROCESS) for the process that stopped</br></br>- The process information and kernel context (ETHREAD) for the thread that stopped</br></br>- The kernel-mode call stack for the thread that stopped</br></br></br>This kind of dump file can be useful when space is limited. However, because of the limited information included, errors that were not directly caused by the thread that was running at the time of the problem may not be discovered by analyzing this file.</br></br>The date is encoded in the file name. If a second problem occurs, the previous file is preserved and the new file is given a distinct name. A list of all small memory dump files is kept in the %SystemRoot%\Minidump folder. |
| 2 | Records only the kernel memory. This dump file includes only memory that's allocated to the kernel, kernel-mode drivers, and other kernel-mode programs. It doesn't include unallocated memory, or any memory that's allocated to user-mode programs.</br></br> For most purposes, this kind of dump file is the most useful because it's smaller than the complete memory dump file. It also includes information that's most likely involved in the issue.</br></br> If a second problem occurs, the dump file is overwritten with new information. |
| 3 | Records the smallest amount of useful information that may help identify why the device stopped unexpectedly. This type of dump file includes the following information:</br></br>- A list of loaded drivers</br>- The processor context (PRCB) for the processor that stopped</br>- The process information and kernel context (EPROCESS) for the process that stopped</br>- The process information and kernel context (ETHREAD) for the thread that stopped</br>- The kernel-mode call stack for the thread that stopped</br></br>This dump file can be useful when space is limited. Because of the limited information, errors that aren't directly caused by the running thread at the time of the problem may not be discovered by analyzing this file.</br></br> The date is encoded in the file name. If a second problem occurs, the previous file is preserved and the new file is given a distinct name. A list of all small memory dump files is kept in the %SystemRoot%\Minidump folder. |
| 4 | Records the smallest amount of useful information. This value produces the same results as entering a value of 3. |
| 7 | Records only the kernel memory. This value produces the same results as entering a value of 2. This is the default value. |
| Any other value | Disables crash dump and does not record anything. |
| Any other value | Disables crash dump and doesn't record anything. |
## KeyboardFilter settings
You can use KeyboardFilter to suppress undesirable key presses or key combinations. KeyboardFilter works with physical keyboards, the Windows on-screen keyboard, and the touch keyboard.
Use these settings to suppress undesirable key presses or key combinations. KeyboardFilter works with physical keyboards, the Windows on-screen keyboard, and the touch keyboard.
When you **enable** KeyboardFilter, a number of other settings become available for configuration.
When you **enable** KeyboardFilter, many other settings become available for configuration.
| Setting | Value | Description |
| --- | --- | --- |
| CustomKeyFilters | Allow or block | Add your own key filters to meet any special requirements that you may have that are not included in the predefined key filters. </br></br>Enter a custom key combination in **CustomKeyFilter**, and then select it to allow or block it. The format to add custom filter combinations is "Alt+F9." This also appears as the CustomKey name, which is specified without "+". For more information, see [WEKF_CustomKey](/windows-hardware/customize/enterprise/wekf-customkey). |
| CustomScancodeFilters | Allow or block | Blocks the list of custom scan codes. When a key is pressed on a physical keyboard, the keyboard sends a scan code to the keyboard driver. The driver then sends the scan code to the OS and the OS converts the scan code into a virtual key based on the current active layout.</br></br>Enter a custom scancode in **CustomScancodeFilter**, and then select it to allow or block it. For more information, see [WEKF_Scancode](/windows-hardware/customize/enterprise/wekf-scancode). |
| CustomKeyFilters | Allow or block | Add your own key filters to meet any special requirements that aren't included in the predefined key filters. </br></br>Enter a custom key combination in **CustomKeyFilter**, and then select it to allow or block it. The format to add custom filter combinations is "Alt+F9." This also appears as the CustomKey name, which is specified without "+". For more information, see [WEKF_CustomKey](/windows-hardware/customize/enterprise/wekf-customkey). |
| CustomScancodeFilters | Allow or block | Blocks the list of custom scan codes. When a key is pressed on a physical keyboard, the keyboard sends a scan code to the keyboard driver. The driver then sends the scan code to the OS and the OS converts the scan code into a virtual key based on the current active layout.</br></br>Enter a custom scan code in **CustomScancodeFilter**, and then select it to allow or block it. For more information, see [WEKF_Scancode](/windows-hardware/customize/enterprise/wekf-scancode). |
| DisableKeyboardFilterForAdministrators | True or false | Disables the keyboard filter for administrators. |
| ForceOffAccessibility | True or false | Disables all Ease of Access features and prevents users from enabling them. |
| PredefinedKeyFilters | Allow or block | Specifies the list of predefined keys. For each key, the value will default to **Allow**. Specifying **Block** will suppress the key combination. |
@ -107,7 +107,7 @@ You can also configure ShellLauncher to launch different shell applications for
>
>You cannot use ShellLauncher to launch a Windows app as a custom shell. However, you can use Windows 10 application launcher to launch a Windows app at startup.
ShellLauncher processes the Run and RunOnce registry keys before starting the custom shell, so your custom shell doesn't need to handle the automatic startup of other applications or services. ShellLauncher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior does not meet your needs.
ShellLauncher processes the Run and RunOnce registry keys before starting the custom shell. So, your custom shell doesn't need to handle the automatic startup of other applications or services. ShellLauncher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior doesn't meet your needs.
>[!IMPORTANT]
>A custom shell is launched with the same level of user rights as the account that is signed in. This means that a user with administrator rights can perform any system action that requires administrator rights, including launching other applications with administrator rights, while a user without administrator rights cannot. If your shell application requires administrator rights and needs to be elevated, and User Account Control (UAC) is present on your device, you must disable UAC in order for ShellLauncher to launch the shell application.

2
windows/configuration/wcd/wcd-startupapp.md
View File

@ -21,6 +21,6 @@ Use StartupApp settings to configure the default app that will run on start for
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| Default | | | | | X |
| Default | | | | | ✔️ |
Enter the [Application User Model ID (AUMID)](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the default app.

2
windows/configuration/wcd/wcd-startupbackgroundtasks.md
View File

@ -21,5 +21,5 @@ Documentation not available at this time.
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | | | | | X |
| All settings | | | | | ✔️ |

7
windows/configuration/wcd/wcd-storaged3inmodernstandby.md
View File

@ -13,7 +13,10 @@ manager: dansimp
# StorageD3InModernStandby (Windows Configuration Designer reference)
Use **StorageD3InModernStandby** to enable or disable low power state (D3) during standby. When this setting is configured to **Enable Storage Device D3**, SATA and NVMe devices will be able to enter the D3 state when the system transits to modern standby state, if they are using a Microsoft inbox driver such as StorAHCI, StorNVMe.
Use **StorageD3InModernStandby** to enable or disable low-power state (D3) during standby. When set to **Enable Storage Device D3**, SATA and NVMe devices can enter the D3 state when:
- The system transits to modern standby state.
- If they're using a Microsoft inbox driver such as StorAHCI, StorNVMe
[Learn more about device power states.](/windows-hardware/drivers/kernel/device-power-states)
@ -21,4 +24,4 @@ Use **StorageD3InModernStandby** to enable or disable low power state (D3) durin
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | X | X | X | | X |
| All settings | ✔️ | ✔️ | ✔️ | | ✔️ |

2
windows/configuration/wcd/wcd-surfacehubmanagement.md
View File

@ -26,7 +26,7 @@ Use SurfaceHubManagement settings to set the administrator group that will manag
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | | | X | | |
| All settings | | | ✔️ | | |
## GroupName

2
windows/configuration/wcd/wcd-tabletmode.md
View File

@ -21,7 +21,7 @@ Use TabletMode to configure settings related to tablet mode.
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | X | X | X | | |
| All settings | ✔️ | ✔️ | ✔️ | | |
## ConvertibleSlateModePromptPreference

9
windows/configuration/wcd/wcd-takeatest.md
View File

@ -21,11 +21,11 @@ Use TakeATest to configure the Take A Test app, a secure browser for test-taking
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | X | | | | |
| All settings | ✔️ | | | | |
## AllowScreenMonitoring
When set to True, students are able to record and take screen captures in the Take A Test app.
When set to True, students can record and take screen captures in the Take A Test app.
## AllowTextSuggestions
@ -43,9 +43,8 @@ When set to True, students can print in the Take A Test app.
Enter the account to use when taking a test.
To specify a domain account, enter **domain\user**. To specify an AAD account, enter <strong>username@tenant.com</strong>. To specify a local account, enter the username.
To specify a domain account, enter **domain\user**. To specify an Azure AD account, enter `username@tenant.com`. To specify a local account, enter the username.
## Related topics
## Related articles
- [SecureAssessment configuration service provider (CSP)](/windows/client-management/mdm/secureassessment-csp)

209
windows/configuration/wcd/wcd-textinput.md
View File

@ -1,209 +0,0 @@
---
title: TextInput (Windows 10)
description: This section describes the TextInput settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
ms.date: 09/15/2017
ms.reviewer:
manager: dansimp
---
# TextInput (Windows Configuration Designer reference)
Use TextInput settings to configure text intelligence and keyboard for mobile devices.
## Applies to
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| Intelligence > DisablePredictions | | X | | | |
| PreEnabledKeyboard | | X | | | |
## Intelligence
Set **DisablePredictions** to the locale or alternative input language that must have the text intelligence features disabled. For example, to disable text correction and suggestions for English (UK), set the value of **DisablePredictions** to `en-gb`.
## PreEnabledKeyboard
In addition to the automatically-enabled default keyboard, OEMs may choose to pre-enable more keyboards for a particular market.
During phone bring-up, OEMs must set the boot locale, or default locale, for the phone. During first boot, Windows Phone reads the locale setting and automatically enables a default keyboard based on the locale to keyboard mapping table in Set languages and locales.
The mapping works for almost all regions and additional customizations are not needed unless specified in the pre-enabled keyboard column in Set languages and locales. If an OEM chooses to pre-enable more keyboards for a particular market, they can do so by specifying the setting. Pre-enabled keyboards will automatically be enabled during boot. Microsoft recommends that partners limit the number of pre-enabled keyboards to those languages that correspond to the languages spoken within the market.
PreEnabledKeyboard must be entered once for each keyboard you want to pre-enable. As shown below, the format to specify a particular keyboard must be: Locale code.Locale value. See the following table for more information on the locale codes and values that you can use. The setting Value must be set to 1 to enable the keyboard.
The following table shows the values that you can use for the Locale code.Locale value part of the setting name.
>[!NOTE]
>The keyboards for some locales require additional language model files: am-ET, bn-IN, gu-IN, hi-IN, ja-JP, kn-IN, ko-KR, ml-IN, mr-IN, my-MM, or-IN, pa-IN, si-LK, ta-IN, te-IN, zh-TW, zh-CN, and zh-HK.
Name | Locale code | Keyboard layout value
--- | --- | ---
Afrikaans (South Africa) | af-ZA | 1
Albanian | sq-AL | 1
Amharic | am-ET | 1
Arabic | ar-SA | 1
Armenian | hy-AM | 1
Assamese - INSCRIPT | as-IN | 1
Azerbaijani (Cyrillic) | az-Cyrl-AZ | 1
Azerbaijani (Latin) | az-Latn-AZ | 1
Bangla (Bangladesh) - 49 key | bn-BD | 1
Bangla (India) - INSCRIPT |bn-IN|1
Bangla (India) - Phonetic|bn-IN|2
Bashkir|ba-RU|1
Basque|eu-ES|1
Belarusian|be-BY|1
Bosnian (Cyrillic)|bs-Cyrl-BA|1
Bosnian (Latin)|bs-Latn-BA|1
Bulgarian|bg-BG|1
Catalan|ca-ES|1
Central Kurdish|ku-Arab-IQ|1
Cherokee|chr-Cher-US|1
Chinese Simplified QWERTY|zh-CN|1
Chinese Simplified - 12-key|zh-CN|2
Chinese Simplified - Handwriting|zh-CN|3
Chinese Simplified - Stroke|zh-CN|4
Chinese Traditional (Hong Kong SAR) - Cangjie|zh-HK|1
Chinese Traditional (Hong Kong SAR) - Quick|zh-HK|2
Chinese Traditional (Hong Kong SAR) - Stroke|zh-HK|3
Chinese Traditional (Taiwan) - BoPoMoFo|zh-TW|1
Chinese Traditional (Taiwan) - Handwriting|zh-TW|2
Croatian|hr-HR|1
Czech|cs-CZ|1
Danish|da-DK|1
Divehi|dv-MV|1
Dutch (Belgium)|nl-BE|1
Dutch (Netherlands)|nl-NL|1
Dzongkha|dz-BT|1
English (Australia)|en-AU|1
English (Canada)|en-CA|1
English (India)|en-IN|1
English (Ireland)|en-IE|1
English (United Kingdom)|en-GB|1
English (United States)|en-US|1
Estonian|et-EE|1
Faroese|fo-FO|1
Filipino|fil-PH|1
Finnish|fi-FI|1
French (Belgium)|fr-BE|1
French (Canada)|fr-CA|1
French (France)|fr-FR|1
French (Switzerland)|fr-CH|1
Galician|gl-ES|1
Georgian|ka-GE|1
German (Germany)|de-DE|1
German (Switzerland)|de-CH|1
Greek|el-GR|1
Greenlandic|kl-GL|1
Guarani|gn-PY|1
Gujarati - INSCRIPT|gu-IN|1
Gujarati - Phonetic|gu-IN|2
Hausa|ha-Latn-NG|1
Hebrew|he-IL|1
Hindi - 37-key|hi-IN|1
Hindi - INSCRIPT|hi-IN|3
Hindi - Phonetic|hi-IN|2
Hinglish|hi-Latn|1
Hungarian|hu-HU|1
Icelandic|is-IS|1
Igbo|ig-NG|1
Indonesian|id-ID|1
Inuktitut - Latin|iu-Latn-CA|1
Irish|ga-IE|1
Italian|it-IT|1
Japanese - 12-key|ja-JP|1
Japanese - QWERTY|ja-JP|2
Kannada - INSCRIPT|kn-IN|1
Kannada - Phonetic|kn-IN|2
Kazakh|kk-KZ|1
Khmer|km-KH|1
Kinyarwanda|rw-RW|1
Kiswahili|sw-KE|1
Konkani|kok-IN|1
Korean - 12-key Chunjiin|ko-KR|2
Korean - 12-key Naratgeul|ko-KR|3
Korean - 12-key Sky|ko-KR|4
Korean - QWERTY|ko-KR|1
Kyrgyz|ky-KG|1
Lao|lo-LA|1
Latvian|lv-LV|1
Lithuanian|lt-LT|1
Luxembourgish|lb-LU|1
Macedonian|mk-MK|1
Malay (Brunei Darussalam)|ms-BN|1
Malay (Malaysia)|ms-MY|1
Malayalam - INSCRIPT|ml-IN|1
Malayalam - Phonetic|ml-IN|2
Maltese|mt-MT|1
Maori|mi-NZ|1
Marathi - INSCRIPT|mr-IN|1
Marathi - Phonetic|mr-IN|2
Mongolian - Cyrillic|mn-MN|1
Mongolian - Traditional Mongolian|mn-Mong-CN|1
Myanmar|my-MM|1
Nepali|ne-NP|1
Norwegian - Bokmal|nb-NO|1
Norwegian - Nynorsk|ny-NO|1
Odia - INSCRIPT|or-IN|1
Odia - Phonetic|or-IN|2
Pashto|ps-AF|1
Persian|fa-IR|1
Polish|pl-PL|1
Portuguese (Brazil)|pt-BR|1
Portuguese (Portugal)|pt-PT|1
Punjabi - INSCRIPT|pa-IN|1
Punjabi - Phonetic|pa-IN|2
Romanian|ro-RO|1
Romansh|rm-CH|1
Russian|ru-RU|1
Sakha|sah-RU|1
Sami, Northern (Norway)|se-NO|1
Sami, Northern (Sweden)|se-NO|1
Scottish Gaelic|gd-GB|1
Serbian - Cyrillic|sr-Cyrl-RS|1
Serbian - Latin|sr-Latn-RS|1
Sesotho sa Leboa|nso-ZA|1
Setswana|tn-ZA|1
Sinhala|si-LK|1
Slovak|sk-SK|1
Slovenian|sl-SI|1
Sorbian, Upper|hsb-DE|1
Spanish (Mexico)|es-MX|1
Spanish (Spain)|es-ES|1
Swedish|sv-SE|1
Syriac|syr-SY|1
Tajik|tg-Cyrl-TJ|1
Tamazight (Central Atlas) - Tifinagh|tzm-Tfng-MA|1
Tamazight (Central Atlas) - Latin|tzm-Latn-DZ|1
Tamil - INSCRIPT|ta-IN|1
Tamil - Phonetic|ta-IN|2
Tatar|tt-RU|1
Telugu - INSCRIPT|te-IN|1
Telugu - Phonetic|te-IN|2
Thai|th-TH|1
Tibetan|bo-CN|1
Turkish|tr-TR|1
Turkmen|tk-TM|1
Ukrainian|uk-UA|1
Urdu|ur-PK|1
Uyghur|ug-CN|1
Uzbek - Cyrillic|uz-Cyrl-UZ|1
Uzbek - Latin|uz-Latn-UZ|1
Valencian|ca-ES-valencia|1
Vietnamese - QWERTY|vi-VN|1
Vietnamese - TELEX|vi-VN|2
Vietnamese - VNI|vi-VN|3
Welsh|cy-GB|1
Wolof|N/A|1
Xhosa|xh-ZA|1
Yoruba|yo-NG|1
Zulu|zu-ZA|1

2
windows/configuration/wcd/wcd-time.md
View File

@ -19,7 +19,7 @@ Use **Time** to configure settings for time zone setup for Windows 10, version (
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| [ProvisionSetTimeZone](#provisionsettimezone) | X | | | | |
| [ProvisionSetTimeZone](#provisionsettimezone) | ✔️ | | | | |
## ProvisionSetTimeZone

24
windows/configuration/wcd/wcd-unifiedwritefilter.md
View File

@ -15,14 +15,22 @@ manager: dansimp
# UnifiedWriteFilter (reference)
Use UnifiedWriteFilter to configure settings for the Unified Write Filter (UWF) in your device to help protect your physical storage media, including most standard writable storage types that are supported by the OS, such as physical hard disks, solidate-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writeable volume.
Use UnifiedWriteFilter to configure settings for the Unified Write Filter (UWF). It helps protect your physical storage media, including most standard writable storage types that are supported by the OS, such as:
- Physical hard disks
- Solidate-state drives
- Internal USB devices
- External SATA devices
- And so on
You can also use UWF to make read-only media appear to the OS as a writeable volume.
>[!IMPORTANT]
>You cannot use UWF to protect external USB devices or flash drives.
>You can't use UWF to protect external USB devices or flash drives.
UWF intercepts all write attempts to a protected volume and redirects those write attempts to a virtual overlay. This improves the reliability and stability of your device and reduces the wear on write-sensitive media, such as flash memory media like solid-state drives.
UWF intercepts all write attempts to a protected volume and redirects these write attempts to a virtual overlay. This feature improves the reliability and stability of your device. It also reduces the wear on write-sensitive media, such as flash memory media like solid-state drives.
The overlay does not mirror the entire volume, but dynamically grows to keep track of redirected writes. Generally the overlay is stored in system memory, although you can cache a portion of the overlay on a physical volume.
The overlay doesn't mirror the entire volume. It dynamically grows to keep track of redirected writes. Generally, the overlay is stored in system memory. You can cache a portion of the overlay on a physical volume.
>[!NOTE]
>UWF fully supports the NTFS system; however, during device startup, NTFS file system journal files can write to a protected volume before UWF has loaded and started protecting the volume.
@ -34,7 +42,7 @@ The overlay does not mirror the entire volume, but dynamically grows to keep tra
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | X | | | | X |
| All settings | ✔️ | | | | ✔️ |
## FilterEnabled
@ -42,9 +50,9 @@ Set to **True** to enable UWF.
## OverlayFlags
OverlayFlags specifies whether to allow writes to unused space on the volume to pass through, and not be redirected to the overlay file. Enabling this setting helps conserve space on the overlay file.
OverlayFlags specifies whether to allow writes to unused space on the volume to pass through, and not redirect to the overlay file. Enabling this setting helps conserve space on the overlay file.
- Value `0` (default value when [OverlayType](#overlaytype) is not **Disk**): writes are redirected to the overlay file
- Value `0` (default value when [OverlayType](#overlaytype) isn't **Disk**): writes are redirected to the overlay file
- Value `1`(default value when [OverlayType](#overlaytype) is **Disk**): writes to unused space on the volume are allowed to pass through without being redirected to the overlay file.
## OverlaySize
@ -60,7 +68,7 @@ OverlayType specifies where the overlay is stored. Select between **RAM** (defau
## RegistryExclusions
You can add or remove registry entries that will be excluded from UWF filtering. When a registry key is in the exclusion list, all writes to that registry key bypass UWF filtering and are written directly to the registry and persist after the device restarts.
You can add or remove registry entries that will be excluded from UWF filtering. When a registry key is in the exclusion list, all writes to that registry key bypass UWF filtering. They're written directly to the registry and persist after the device restarts.
Use **Add** to add a registry entry to the exclusion list after you restart the device.

36
windows/configuration/wcd/wcd-universalappinstall.md
View File

@ -24,15 +24,15 @@ Use UniversalAppInstall settings to install Windows apps from the Microsoft Stor
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| [DeviceContextApp](#devicecontextapp) | X | | X | | |
| [DeviceContextAppLicense](#devicecontextapplicense) | X | | X | | |
| [StoreInstall](#storeinstall) | X | X | X | | X |
| [UserContextApp](#usercontextapp) | X | X | X | | X |
| [UserContextAppLicense](#usercontextapplicense) | X | X | X | | X |
| [DeviceContextApp](#devicecontextapp) | ✔️ | | ✔️ | | |
| [DeviceContextAppLicense](#devicecontextapplicense) | ✔️ | | ✔️ | | |
| [StoreInstall](#storeinstall) | ✔️ | ✔️ | ✔️ | | ✔️ |
| [UserContextApp](#usercontextapp) | ✔️ | ✔️ | ✔️ | | ✔️ |
| [UserContextAppLicense](#usercontextapplicense) | ✔️ | ✔️ | ✔️ | | ✔️ |
## DeviceContextApp
Enter an app package family name to install an app for all users of the device. You can use the [Get-AppxPackage cmdlet](/powershell/module/appx/get-appxpackage) to get the package family name for an installed app.
Enter an app package family name to install an app for all device users. You can use the [Get-AppxPackage cmdlet](/powershell/module/appx/get-appxpackage) to get the package family name for an installed app.
>[!NOTE]
>For XAP files, enter the product ID.
@ -41,11 +41,11 @@ For each app that you add to the package, configure the settings in the followin
| Setting | Value | Description |
| --- | --- | --- |
| ApplicationFile | .appx or .appxbundle | Set the value to the app file that you want to install on the device. In addition, you must also enable the [AllowAllTrustedApps setting](wcd-policies.md#applicationmanagement) and add a root certificate or license file. |
| DependencyAppxFiles | any required frameworks | In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. |
| DeploymentOptions | - None</br>-Force application shutdown: If this package, or any package that depends on this package, is currently in use, the processes associated with the package are shut down forcibly so that registration can continue</br>- Development mode: do not use</br>- Install all resources: When you set ths option, the app is instructed to skip resource applicability checks.</br>- Force target application shutdown: If this package is currently in use, the processes associated with the package are shut down forcibly so that registration can continue | Select a deployment option. |
| LaunchAppAtLogin | - Do not launch app</br>- Launch app | Set the value for app behavior when a user signs in. |
| OptionalPackageFiles | additional files required by the package | Browse to, select, and add the optional package files. |
| ApplicationFile | `.appx` or `.appxbundle` | Set the value to the app file that you want to install on the device. Also enable the [AllowAllTrustedApps setting](wcd-policies.md#applicationmanagement) and add a root certificate or license file. |
| DependencyAppxFiles | Any required frameworks | In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. |
| DeploymentOptions | - None</br>-Force application shutdown: If this package, or any package that depends on this package is currently in use, then the processes associated with the package are forcibly shut down. The registration can continue. </br>- Development mode: Don't use. </br>- Install all resources: When you set this option, the app is instructed to skip resource applicability checks.</br>- Force target application shutdown: If this package is currently in use, the processes associated with the package are shut down forcibly so that registration can continue | Select a deployment option. |
| LaunchAppAtLogin | - Don't launch app</br>- Launch app | Set the value for app behavior when a user signs in. |
| OptionalPackageFiles | Additional files required by the package | Browse to, select, and add the optional package files. |
For more information on deployment options, see [DeploymentOptions Enum](/uwp/api/windows.management.deployment.deploymentoptions).
@ -53,7 +53,7 @@ For more information on deployment options, see [DeploymentOptions Enum](/uwp/ap
Use to specify the license file for the provisioned app.
1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. Here is an example, `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and click **Add**.
1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. For example, enter `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and select **Add**.
2. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file.
@ -62,7 +62,7 @@ Use to specify the license file for the provisioned app.
Use to install an app from the Microsoft Store for Business.
1. Enter a package family name, and then click **Add**.
1. Enter a package family name, and then select **Add**.
2. Configure the following required settings for the app package.
Setting | Description
@ -75,21 +75,21 @@ SkuID | Enter the SKU ID. [Learn how to find the SKU ID.](/microsoft-store/micro
Use to add a new user context app.
1. Specify a **PackageFamilyName** for the app, and then click **Add**.
1. Specify a **PackageFamilyName** for the app, and then select **Add**.
2. Select the PackageFamilyName in the Available Customizations pane, and then configure the following settings.
Setting | Value | Description
--- | --- | ---
ApplicationFile | app file | Browse to, select, and add the application file,
DependencyAppxFiles | additional files required by the app | Browse to, select, and add dependency files.
ApplicationFile | App file | Browse to, select, and add the application file,
DependencyAppxFiles | Additional files required by the app | Browse to, select, and add dependency files.
DeploymentOptions | - None</br></br>- Force application shutdown</br></br>- Development mode</br></br>- Install all resources</br></br>- Force target application shutdown | Select a deployment option.
LaunchAppAtLogin | - Do not launch app</br></br>- Launch app | Select whether the app should be started when a user signs in.
LaunchAppAtLogin | - Don't launch app</br></br>- Launch app | Select whether the app should be started when a user signs in.
## UserContextAppLicense
Use to specify the license file for the user context app.
1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. Here is an example, `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and click **Add**.
1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. For example, enter `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and select **Add**.
2. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file.

12
windows/configuration/wcd/wcd-universalappuninstall.md
View File

@ -22,21 +22,21 @@ Use UniversalAppUninstall settings to uninstall or remove Windows apps.
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| [RemoveProvisionedApp](#removeprovisionedapp) | X | | | | |
| [Uninstall](#uninstall) | X | X | X | | X |
| [RemoveProvisionedApp](#removeprovisionedapp) | ✔️ | | | | |
| [Uninstall](#uninstall) | ✔️ | ✔️ | ✔️ | | ✔️ |
## RemoveProvisionedApp
Universal apps can be *provisioned*, which means that they are available on the device for installation in user context. When a user runs the provisioned app, the app is then installed for that user.
Universal apps can be *provisioned*. Provisioned means that they're available on the device for installation in user context. When a user runs the provisioned app, the app is then installed for that user.
Use **RemoveProvisionedApp** to remove app packages that are available on the device. Any instances of the app that have already been installed by a user are not uninstalled. To uninstall provisioned apps that have been installed by a user, use the [Uninstall](#uninstall) setting.
Use **RemoveProvisionedApp** to remove app packages that are available on the device. Any instances of the app that have already been installed by a user aren't uninstalled. To uninstall provisioned apps that have been installed by a user, use the [Uninstall](#uninstall) setting.
1. Enter the PackageFamilyName for the app package, and then click **Add**.
1. Enter the PackageFamilyName for the app package, and then select **Add**.
2. Select the PackageFamilyName in the Available Customizations pane, and then select **RemoveProvisionedApp**.
## Uninstall
Use **Uninstall** to remove provisioned apps that have been installed by a user.
1. Enter the PackageFamilyName for the app package, and then click **Add**.
1. Enter the PackageFamilyName for the app package, and then select **Add**.
2. Select the PackageFamilyName in the Available Customizations pane, and then select **Uninstall**.

2
windows/configuration/wcd/wcd-usberrorsoemoverride.md
View File

@ -22,7 +22,7 @@ Allows an OEM to hide the USB option UI in Settings and all USB device errors.
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| [HideUsbErrorNotifyOptionUI](#hideusberrornotifyoptionui) | X | X | X | X | |
| [HideUsbErrorNotifyOptionUI](#hideusberrornotifyoptionui) | ✔️ | ✔️ | ✔️ | ✔️ | |
## HideUsbErrorNotifyOptionUI

11
windows/configuration/wcd/wcd-weakcharger.md
View File

@ -22,8 +22,8 @@ Use WeakCharger settings to configure the charger notification UI.
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| [HideWeakChargerNotifyOptionUI](#hideweakchargernotifyoptionui) | X | X | X | | |
| [NotifyOnWeakCharger](#notifyonweakcharger) | X | X | X | | |
| [HideWeakChargerNotifyOptionUI](#hideweakchargernotifyoptionui) | ✔️ | ✔️ | ✔️ | | |
| [NotifyOnWeakCharger](#notifyonweakcharger) | ✔️ | ✔️ | ✔️ | | |
## HideWeakChargerNotifyOptionUI
@ -34,12 +34,15 @@ Select between **Show Weak Charger Notifications UI** and **Hide Weak Charger No
## NotifyOnWeakCharger
This setting displays a warning when the user connects the device to an incompatible charging source. This warning is intended to notify users that their device may take longer to charge or may not charge at all with the current charging source.
This setting shows a warning when the user connects the device to an incompatible charging source. This warning is intended to notify users that their device may take longer to charge. Or, it may not charge at all.
An incompatible charging source is one that doesn't behave like one of the following port types:
An incompatible charging source is one that does not behave like one of the following port types as defined by the USB Battery Charging Specification, Revision 1.2, available on the USB.org website:
- Charging downstream port
- Standard downstream port
- Dedicated charging port
The port types are defined by the USB Battery Charging Specification, Revision 1.2, available at `USB.org`.
Select between **Disable Weak Charger Notifications UI** and **Enable Weak Charger Notifications UI**.

10
windows/configuration/wcd/wcd-windowshelloforbusiness.md
View File

@ -15,17 +15,17 @@ manager: dansimp
# WindowsHelloForBusiness (Windows Configuration Designer reference)
Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for Windows Hello](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/) can be used to sign in to Windows on a device configured for [Shared PC mode](wcd-sharedpc.md).
Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for Windows Hello](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/) can be used to sign in to a Windows device configured for [Shared PC mode](wcd-sharedpc.md).
## Applies to
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| [SecurityKeys](#securitykeys) | X | | | | |
| [SecurityKeys](#securitykeys) | ✔️ | | | | |
## SecurityKeys
Select the desired value:
Select the value:
- `0`: security keys for Windows Hello are disabled.
- `1`: security keys for Windows Hello are enabled on [Shared PCs](wcd-sharedpc.md).
- `0`: Security keys for Windows Hello are disabled.
- `1`: Security keys for Windows Hello are enabled on [Shared PCs](wcd-sharedpc.md).

22
windows/configuration/wcd/wcd-windowsteamsettings.md
View File

@ -22,31 +22,31 @@ Use WindowsTeamSettings settings to configure Surface Hub.
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | | | X | | |
| All settings | | | ✔️ | | |
## Connect
| Setting | Value | Description |
| --- | --- | --- |
| AutoLaunch | True or false | Open the Connect app automatically when someone projects. |
| Channel | - 1, 3, 4, 5, 6, 7, 8, 9, 10, 11 (works with all Miracast senders in all regions)</br>- 36, 40, 44, 48 (works with all 5ghz band Miracast senders in all regions)</br>- 149, 153, 157, 161, 165 (works with all 5ghz band Miracast senders in all regions except Japan) | Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. Integer specifying the channel. The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for). |
| Channel | - 1, 3, 4, 5, 6, 7, 8, 9, 10, 11 (works with all Miracast senders in all regions)</br>- 36, 40, 44, 48 (works with all 5ghz band Miracast senders in all regions)</br>- 149, 153, 157, 161, 165 (works with all 5ghz band Miracast senders in all regions except Japan) | Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. Integer specifying the channel. The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly, the driver won't boot. Or, it will broadcast on the wrong channel, which senders won't be looking for. |
| Enabled | True or false | Enables wireless projection to the device. |
| PINRequired | True or false | Requires presenters to enter a PIN to connect wirelessly to the device. |
## DeviceAccount
A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device.
A device account is a Microsoft Exchange account that's connected with Skype for Business. It allows people to join scheduled meetings, make Skype for Business calls, and share content from the device.
| Setting | Value | Description |
| --- | --- | --- |
| CalendarSyncEnabled | True or false | Specifies whether calendar sync and other Exchange Server services are enabled. |
| DomainName | Domain of the device account when you are using Active Directory | To use a device account from Active Directory, you should specify both **DomainName** and **UserName** for the device account. |
| DomainName | Domain of the device account when using Active Directory | To use a device account from Active Directory, you should specify both **DomainName** and **UserName** for the device account. |
| Email | Email address | Email address of the device account. |
| ExchangeServer | Exchange Server | Normally, the device will try to automatically discover the Exchange server. This field is only required if automatic discovery fails. |
| Password | Password | Password for the device account. |
| PasswordRotationEnabled | 0 = enabled</br>1 = disabled | Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory or Azure AD. |
| PasswordRotationEnabled | 0 = enabled</br>1 = disabled | Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, then use this setting to allow the device to manage its own password. It can change the password frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory or Azure AD. |
| SipAddress | Session Initiation Protocol (SIP) address | Normally, the device will try to automatically discover the SIP. This field is only required if automatic discovery fails. |
| UserName | User name | Username of the device account when you are using Active Directory. |
| UserName | User name | Username of the device account when using Active Directory. |
| UserPrincipalName | User principal name (UPN) | To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account. |
| ValidateAndCommit | Any text | Validates the data provided and then commits the changes. This process occurs automatically after the other DeviceAccount settings are applied. The text you enter for the ValidateAndCommit setting doesn't matter. |
@ -62,11 +62,11 @@ Enter the name that users will see when they want to project wirelessly to the d
## MaintenanceHours
Maintenance hours are the period of time during which automatic maintenance tasks are performed.
Maintenance hours are the period of time when automatic maintenance tasks are run.
| Setting | Value | Description |
| --- | --- | --- |
| Duration | Duration in minutes. For example, to set a 3-hour duration, set this value to 180. | The amount of time the device will be in maintenance, when the device will continue to download or install updates. |
| Duration | Duration in minutes. For example, to set a three hour duration, set this value to 180. | The amount of time the device will be in maintenance, when the device will continue to download or install updates. |
| StartTime | Start time in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120 | Start time for when device is allowed to start downloading and installing updates. |
## OMSAgent
@ -75,7 +75,7 @@ Configures the Operations Management Suite workspace.
| Setting | Value | Description |
| --- | --- | --- |
| WorkspaceID | GUID | GUID identifying the Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent. |
| WorkspaceID | GUID | GUID identifying the Operations Management Suite workspace ID to collect the data. Set this value to an empty string to disable the MOM agent. |
| WorkspaceKey | Key | Primary key for authenticating with the workspace. |
## Properties
@ -85,7 +85,7 @@ Configures the Operations Management Suite workspace.
| AllowAutoProxyAuth | True or false | Specifies if the Surface Hub can use the device account to authenticate into proxy servers requiring authentication. |
| AllowSessionResume | True or false | Specifies if users are allowed to resume their session after session timeout. |
| DefaultVolume | Numeric value between 0 and 100 | Default speaker volume. Speaker volume will be set to this value at every session startup. |
| DisableSigninSuggestions | True or false | Specifies if the Surface Hub will not show suggestions when users try to sign in to see their meetings and files. |
| DisableSigninSuggestions | True or false | Specifies if the Surface Hub won't show suggestions when users try to sign in to see their meetings and files. |
| DoNotShowMyMeetingsAndFiles | True or false | Specifies if users can sign in and have full access to personal meetings and most recently used documents. |
| ScreenTimeout | Select minutes from dropdown menu | The time (in minutes) of inactivity after which the Surface Hub will turn off its screen. |
| SessionTimeout | Select minutes from dropdown menu | The time (in minutes) of inactivity after which the Surface Hub will time out the current session and return to the welcome screen. |
@ -105,6 +105,6 @@ Configures the Operations Management Suite workspace.
| CurrentBackgroundPath | Https URL to a PNG file | Background image for the welcome screen. |
| MeetingInfoOption | 0 = organizer and time only</br>1 = organizer, time, and subject (subject is hidden for private meetings) | Specifies whether meeting information is displayed on the welcome screen. |
## Related topics
## Related articles
- [SurfaceHub configuration service provider (CSP)](/windows/client-management/mdm/surfacehub-csp)

8
windows/configuration/wcd/wcd-workplace.md
View File

@ -22,11 +22,11 @@ Use Workplace settings to configure bulk user enrollment to a mobile device mana
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| [Enrollments](#enrollments) | X | X | X | | X |
| [Enrollments](#enrollments) | ✔️ | ✔️ | ✔️ | | ✔️ |
## Enrollments
Select **Enrollments**, enter a UPN, and then click **Add** to configure the settings for the enrollment. The UPN is a unique identifier for enrollment. For bulk enrollment, this must a service account that is allowed to enroll multiple users. Example, "generic-device@contoso.com"
Select **Enrollments**, enter a UPN, and then select **Add** to configure the settings for the enrollment. The UPN is a unique identifier for enrollment. For bulk enrollment, this value must be a service account that's allowed to enroll multiple users. For example, use `generic-device@contoso.com`.
| Settings | Value | Description |
| --- | --- | --- |
@ -34,8 +34,8 @@ Select **Enrollments**, enter a UPN, and then click **Add** to configure the set
| DiscoveryServiceFullUrl | URL | The full URL for the discovery service |
| EnrollmentServiceFullUrl | URL | The full URL for the enrollment service |
| PolicyServiceFullUrl | URL | The full URL for the policy service |
| Secret | - Password string for on-premises authentication enrollment</br>- Federated security token for federated enrollment</br>- Certificate thumb print for certificate-based enrollment | Enter the appropriate value for the selected AuthPolicy |
| Secret | - Password string for on-premises authentication enrollment</br>- Federated security token for federated enrollment</br>- Certificate thumb print for certificate-based enrollment | Enter the appropriate value for the selected AuthPolicy. |
## Related topics
## Related articles
- [Provisioning configuration service provider (CSP)](/windows/client-management/mdm/provisioning-csp)

14
windows/configuration/wcd/wcd.md
View File

@ -24,10 +24,7 @@ This section describes the settings that you can configure in [provisioning pack
| [Accounts](wcd-accounts.md) | ✔️ | ✔️ | ✔️ | ✔️ |
| [ADMXIngestion](wcd-admxingestion.md) | ✔️ | | | |
| [AssignedAccess](wcd-assignedaccess.md) | ✔️ | | ✔️ | |
| [AutomaticTime](wcd-automatictime.md) | | | | |
| [Browser](wcd-browser.md) | ✔️ | ✔️ | | |
| [CallAndMessagingEnhancement](wcd-callandmessagingenhancement.md) | | | | |
| [Calling](wcd-calling.md) | | | | |
| [CellCore](wcd-cellcore.md) | ✔️ | | | |
| [Cellular](wcd-cellular.md) | ✔️ | | | |
| [Certificates](wcd-certificates.md) | ✔️ | ✔️ | ✔️ | ✔️ |
@ -38,7 +35,6 @@ This section describes the settings that you can configure in [provisioning pack
| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | ✔️ | | | |
| [DeveloperSetup](wcd-developersetup.md) | | | ✔️ | |
| [DeviceFormFactor](wcd-deviceformfactor.md) | ✔️ | ✔️ | | |
| [DeviceInfo](wcd-deviceinfo.md) | | | | |
| [DeviceManagement](wcd-devicemanagement.md) | ✔️ | ✔️ | ✔️ | |
| [DeviceUpdateCenter](wcd-deviceupdatecenter.md) | ✔️ | | | |
| [DMClient](wcd-dmclient.md) | ✔️ | ✔️ | | ✔️ |
@ -47,27 +43,18 @@ This section describes the settings that you can configure in [provisioning pack
| [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | ✔️ |
| [FirstExperience](wcd-firstexperience.md) | | | ✔️ | |
| [Folders](wcd-folders.md) |✔️ | ✔️ | | |
| [InitialSetup](wcd-initialsetup.md) | | | | |
| [InternetExplorer](wcd-internetexplorer.md) | | | | |
| [KioskBrowser](wcd-kioskbrowser.md) | | | | ✔️ |
| [Licensing](wcd-licensing.md) | ✔️ | | | |
| [Location](wcd-location.md) | | | | ✔️ |
| [Maps](wcd-maps.md) |✔️ | ✔️ | | |
| [Messaging](wcd-messaging.md) | | | | |
| [ModemConfigurations](wcd-modemconfigurations.md) | | | | |
| [Multivariant](wcd-multivariant.md) | | | | |
| [NetworkProxy](wcd-networkproxy.md) | | ✔️ | | |
| [NetworkQOSPolicy](wcd-networkqospolicy.md) | | ✔️ | | |
| [NFC](wcd-nfc.md) | | | | |
| [OOBE](wcd-oobe.md) | ✔️ | | | |
| [OtherAssets](wcd-otherassets.md) | | | | |
| [Personalization](wcd-personalization.md) | ✔️ | | | |
| [Policies](wcd-policies.md) | ✔️ | ✔️ | ✔️ | ✔️ |
| [Privacy](wcd-folders.md) |✔️ | ✔️ | | ✔️ |
| [ProvisioningCommands](wcd-provisioningcommands.md) | ✔️ | | | |
| [RcsPresence](wcd-rcspresence.md) | | | | |
| [SharedPC](wcd-sharedpc.md) | ✔️ | | | |
| [Shell](wcd-shell.md) | | | | |
| [SMISettings](wcd-smisettings.md) | ✔️ | | | |
| [Start](wcd-start.md) | ✔️ | | | |
| [StartupApp](wcd-startupapp.md) | | | | ✔️ |
@ -76,7 +63,6 @@ This section describes the settings that you can configure in [provisioning pack
| [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | ✔️ | | |
| [TabletMode](wcd-tabletmode.md) |✔️ | ✔️ | | |
| [TakeATest](wcd-takeatest.md) | ✔️ | | | |
| [TextInput](wcd-textinput.md) | | | | |
| [Time](wcd-time.md) | ✔️ | | | |
| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | ✔️ | | | ✔️ |
| [UniversalAppInstall](wcd-universalappinstall.md) | ✔️ | ✔️ | | ✔️ |

2
windows/deployment/TOC.yml
View File

@ -208,6 +208,8 @@
href: update/update-compliance-security-update-status.md
- name: Feature update status report
href: update/update-compliance-feature-update-status.md
- name: Safeguard holds report
href: update/update-compliance-safeguard-holds.md
- name: Delivery Optimization in Update Compliance
href: update/update-compliance-delivery-optimization.md
- name: Data handling and privacy in Update Compliance

2
windows/deployment/planning/windows-10-deprecated-features.md
View File

@ -28,7 +28,7 @@ The features described below are no longer being actively developed, and might b
|Feature | Details and mitigation | Announced in version |
| ----------- | --------------------- | ---- |
| BitLocker To Go Reader | Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11.<br>The following items might not be available in a future release of Windows client:<br>- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**<br>- Command line parameter: [manage-bde -DiscoveryVolumeType](/windows-server/administration/windows-commands/manage-bde-on) (-dv)<br>- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**<br>- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**<br>Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11.<br>The following items might not be available in a future release of Windows client:<br>- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**<br>- Command line parameter: [manage-bde -DiscoveryVolumeType](/windows-server/administration/windows-commands/manage-bde-on) (-dv)<br>- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**<br>- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
| Internet Explorer (IE) 11 | The IE11 desktop application will end support for certain operating systems starting June 15, 2022. For more information, see [Internet Explorer 11](/lifecycle/products/internet-explorer-11). | 21H1 |
| Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 |
| Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 semi-annual channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself is not affected. | 21H1 |

13
windows/deployment/update/deployment-service-overview.md
View File

@ -29,6 +29,7 @@ The deployment service is designed for IT Pros who are looking for more control
- You can stage deployments over a period of days or weeks by using rich expressions (for example, deploy 20H2 to 500 devices per day, beginning on March 14, 2021).
- You can bypass pre-configured Windows Update for Business policies to immediately deploy a security update across your organization when emergencies arise.
- You can benefit from deployments with automatic piloting tailored to your unique device population to ensure coverage of hardware and software in your organization.
- You can use safeguards against likely update issues that have been identified by Microsoft machine-learning algorithms and automatically hold the deployment for any affected devices.
The service is privacy focused and backed by leading industry compliance certifications.
@ -52,7 +53,6 @@ Using the deployment service typically follows a common pattern:
2. The chosen tool conveys your approval, scheduling, and device selection information to the deployment service.
3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates.
The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Endpoint Manager.
## Prerequisites
@ -74,7 +74,6 @@ Additionally, your organization must have one of the following subscriptions:
- Windows Virtual Desktop Access E3 or E5
- Microsoft 365 Business Premium
## Getting started
To use the deployment service, you use a management tool built on the platform, script common actions using PowerShell, or build your own application.
@ -87,7 +86,6 @@ Microsoft Endpoint Manager integrates with the deployment service to provide Win
The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started).
### Building your own application
Microsoft Graph makes deployment service APIs available through. Get started with these learning paths:
@ -113,14 +111,19 @@ This built-in piloting capability complements your existing ring structure and p
You should continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and additional protections within each ring.
### Safeguard holds against likely and known issues
Microsoft uses [safeguard holds](/windows/deployment/update/safeguard-holds) to protect devices from encountering known quality or compatibility issues by preventing them from installing the update or upgrade. For Windows 11 deployments, the deployment service extends these safeguard holds to also protect devices that Microsoft identifies as being at a higher risk of experiencing problems after an update (such as operating system rollbacks, app crashes, or graphics issues). The service temporarily holds the deployment for these devices while Microsoft investigates the likely issue. Safeguard holds apply to deployments by default, but you can opt out.
To verify whether a device is affected by a safeguard hold, see [Am I affected by a safeguard hold?](/windows/deployment/update/safeguard-holds#am-i-affected-by-a-safeguard-hold)
### Monitoring deployments to detect rollback issues
During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues.
### How to enable deployment protections
Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your organization, devices must share diagnostic data with Microsoft.
Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your population, devices must share diagnostic data with Microsoft.
#### Device prerequisites

BIN
windows/deployment/update/images/uc-workspace-safeguard-holds-device-view.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
windows/deployment/update/images/uc-workspace-safeguard-holds-safeguard-hold-view.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

14
windows/deployment/update/safeguard-holds.md
View File

@ -17,27 +17,27 @@ ms.topic: article
- Windows 10
- Windows 11
Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply safeguard holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use safeguard holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows client.
The lifespan of holds varies depending on the time required to investigate and fix an issue. During this time Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the hold. Once we release the hold, Windows Update will resume offering new operating system versions to devices.
The lifespan of safeguard holds varies depending on the time required to investigate and fix an issue. During this time, Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the safeguard hold. Once we release the safeguard hold, Windows Update will resume offering new operating system versions to devices.
Safeguard holds only affect devices that use the Window Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services) to remain aware of known issues that might also be present in their environments.
Safeguard holds only affect devices that use the Windows Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services) to remain aware of known issues that might also be present in their environments.
IT admins managing updates using the [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) also benefit from safeguard holds on devices that are likely to be affected by an issue. To learn more, see [Safeguard holds against likely and known issues](/windows/deployment/update/deployment-service-overview#safeguard-holds-against-likely-and-known-issues).
## Am I affected by a safeguard hold?
IT admins can use [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) to monitor various update health metrics for devices in their organization, including ones affected by a safeguard hold that prevents them from updating to a newer operating system version.
IT admins can use [Update Compliance](update-compliance-monitor.md) to monitor various update health metrics for devices in their organization. Update Compliance provides a [Safeguard Holds report](/windows/deployment/update/update-compliance-safeguard-holds), as well as [queries in the Feature Update Status report](/windows/deployment/update/update-compliance-feature-update-status), to provide you insight into the safeguard holds that are preventing devices from updating or upgrading.
Queries identify Safeguard IDs for each affected device, giving IT admins a detailed view into the various protections extended to devices. Safeguard IDs for publicly discussed known issues are also included in the [Windows release health](/windows/release-health/) dashboard, where you can easily find information related to publicly available safeguards.
The Update Compliance reports identify safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find additional details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release.
On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
![Feature update message reading "The Windows 10 May 2020 Update is on its way. Once it's ready for your device, you'll see the update available on this page.](images/safeguard-hold-notification.png)
If you see this message, it means one or more holds affect your device. When the issue is fixed and the update is safe to install, well release the hold and the update can resume safely.
This message means that the device is protected by one or more safeguard holds. When the issue is resolved and the update is safe to install, we will release the safeguard hold and the update can resume safely.
## What can I do?

13
windows/deployment/update/update-compliance-feature-update-status.md
View File

@ -43,18 +43,21 @@ Refer to the following list for what each state means:
## Safeguard holds
Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows client release information pages for any given release.
Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Safeguard holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows client release information pages for any given release.
### Queries for safeguard holds
Update Compliance reporting offers two queriesto help you retrieve data related to safeguard holds.These queries show data for devices that are configured to send diagnostic data at the *Optional* level (previously *Full*). For Windows 10 devices, devices configured to send diagnostic data at *Enhanced* level are also included.
> [!TIP]
> For a new Update Compliance report with additional information on safeguard holds, try the [Safeguard Holds report](/windows/deployment/update/update-compliance-safeguard-holds).
The Feature Update Status report offers two queriesto help you retrieve data related to safeguard holds.These queries show data for devices that are configured to send diagnostic data at the *Optional* level (previously *Full*). For Windows 10 devices, devices configured to send diagnostic data at *Enhanced* level are also included.
The first queryshows the device data for alldevices that are affected by safeguard holds. The second queryshows data specific to devices running the target build.
![Left pane showing Need Attention, Security update status, feature update status, and Windows Defender AV status, with Need Attention selected. Right pane shows the list of queries relevant to the Need Attention status, with "Devices with a safeguard hold" and "Target build distribution of devices with a safeguard hold" queries highlighted](images/UC_workspace_safeguard_queries.png)
Update Compliance reporting will display the Safeguard IDs for known issues affecting a device in the **DeploymentErrorCode** column. Safeguard IDs for publicly discussed known issues are also included in the Windows Release Health dashboard, where you can easily find information related to publicly available safeguards.
Update Compliance reporting will display the safeguard hold IDs for known issues affecting a device in the **DeploymentErrorCode** column. Safeguard hold IDs for publicly discussed known issues are also included in the Windows Release Health dashboard, where you can easily find information related to publicly available safeguards.
### Opt out of safeguard hold
### Opt out of safeguard holds
You can [opt out of safeguard protections](safeguard-opt-out.md) by using the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update.
You can [opt out of safeguard holds](safeguard-opt-out.md) protecting against known issues by using the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update.

61
windows/deployment/update/update-compliance-safeguard-holds.md Normal file
View File

@ -0,0 +1,61 @@
---
title: Update Compliance - Safeguard Holds report
ms.reviewer:
manager: laurawi
description: Learn how the Safeguard Holds report provides information about safeguard holds in your population.
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
audience: itpro
itproauthor: jaimeo
author: jaimeo
ms.author: jaimeo
ms.collection: M365-analytics
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Safeguard Holds
**Applies to**
- Windows 10
- Windows 11
The Safeguard Holds report provides information about devices in your population that are affected by a [safeguard hold](/windows/deployment/update/safeguard-holds).
Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Safeguard holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows client release information pages for any given release.
Update Compliance provides two views into the safeguard holds that apply to devices in your population. The report shows data for devices that are configured to send diagnostic data at the *Optional* level (previously *Full*). For Windows 10 devices, devices configured to send diagnostic data at *Enhanced* level are also included.
The safeguard hold report can be found in a different location from the other Update Compliance reports. To access the safeguard hold report, follow the instructions below.
1. Navigate to your Log Analytics workspace to which Update Compliance is deployed.
2. In the left-hand menu, select **Solutions**.
3. Select the solution named **WaaSUpdateInsights(\<your workspace name\>)**. (This summary page is also where the Update Compliance tile is located.)
4. In the left-hand menu, select **Workbooks**.
5. Under the subsection **WaaSUpdateInsights**, select the workbook named **Safeguard Holds**.
## Safeguard hold view
![The safeguard hold view of the Safeguard Hold report.](images/uc-workspace-safeguard-holds-safeguard-hold-view.png)
The safeguard hold view shows which safeguard holds apply to devices in your population, and how many devices are affected by each safeguard hold. You can use the **Safeguard hold ID(s)** dropdown at the top of the report to filter the chart and corresponding table to show only the selected safeguard hold IDs. Note that a device can be affected by more than one safeguard hold.
## Device view
![The device view of the Safeguard Hold report.](images/uc-workspace-safeguard-holds-device-view.png)
The device view shows which devices are affected by safeguard holds. In the **Safeguard Hold IDs** column of the table, you can find a list of the safeguard holds that apply to each device. You can also use the **Safeguard hold ID(s)** dropdown at the top of the report to filter the table to show only devices affected by the selected safeguard hold IDs.
## Getting additional information about a safeguard hold
For safeguard holds protecting devices against publicly discussed known issues, you can find their 8-digit identifier on the [Windows release health](/windows/release-health/) page under **Known issues** corresponding to the relevant release.
Devices managed by the [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) that are affected by a safeguard hold for a likely issue are listed in the report with the safeguard hold ID value **00000001**.
## Opt out of safeguard holds
To opt out of safeguard holds protecting against known issues, see [Opt out of safeguard holds](/windows/deployment/update/safeguard-opt-out).
To opt out of safeguard holds protecting against likely issues (applicable to devices managed by the deployment service), see [Manage safeguards for a feature update deployment using the Windows Update for Business deployment service](/graph/windowsupdates-manage-safeguards).

4
windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
View File

@ -12,7 +12,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/23/2021
ms.date: 11/02/2021
ms.reviewer:
---
@ -389,7 +389,7 @@ The registry keys for the smart card KSP are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\
| **AllowPrivateSignatureKeyImport** | A non-zero value allows RSA signature private keys to be imported for use in key archival scenarios.<br>Default value: 00000000 |
| **DefaultPrivateKeyLenBits** | Defines the default length for private keys, if desired.<br>Default value: 00000400<br>Default key generation parameter: 1024-bit keys |
| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that don't support on-card key generation or where key escrow is required.<br>Default value: 00000000 |
| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail.<br>Default value: 000005dc1500<br>The default timeout for holding transactions to the smart card is 1.5 seconds. |
| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail.<br>Default value: 000005dc<br>The default timeout for holding transactions to the smart card is 1.5 seconds. |
**Additional registry keys for the smart card KSP**

6
windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
View File

@ -32,9 +32,9 @@ ms.technology: windows-sec
The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShell cmdlets or manually. The Wizard currently supports the following editing capabilities:
<ul>
<li>[Configuring policy rules](#configuring-policy-rules)</li>
<li>[Adding new allow or block file rules to existing policies](#adding-file-rules)</li>
<li>[Removing allow or block file rules on existing policies](#removing-file-rules)</li>
<li><a href="#configuring-policy-rules">Configuring policy rules</a></li>
<li><a href="#adding-file-rules">Adding new allow or block file rules to existing policies</a></li>
<li><a href="#removing-file-rules">Removing allow or block file rules on existing policies</a></li>
</ul>
## Configuring Policy Rules

2
windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
View File

@ -42,7 +42,7 @@ Because Windows Sandbox runs the same operating system image as the host, it has
## Integrated kernel scheduler
With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles.
With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses a new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles.
![A chart compares the scheduling in Windows Sandbox versus a traditional VM.](images/4-integrated-kernal.png)