diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index b6f6ce3ed2..d77b68f7fb 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -53,6 +53,7 @@ "garycentric" ] }, + "fileMetadata": {}, "template": "op.html", "dest": "browsers/edge", "markdownEngineName": "markdig" diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md deleted file mode 100644 index a7d84c9fb8..0000000000 --- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md +++ /dev/null @@ -1,205 +0,0 @@ ---- -title: Join Windows 10 Mobile to Azure Active Directory (Windows 10) -description: Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). -ms.assetid: 955DD9EC-3519-4752-827E-79CEB1EC8D6B -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: mobile -author: dansimp -ms.localizationpriority: medium -ms.date: 09/21/2017 -ms.topic: article ---- - -# Join Windows 10 Mobile to Azure Active Directory - - -**Applies to** - -- Windows 10 Mobile - -Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). This article describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization. - -## Why join Windows 10 Mobile to Azure AD - - -When a device running Windows 10 Mobile is joined to Azure AD, the device can exclusively use a credential owned by your organization, and you can ensure users sign in using the sign-in requirements of your organization. Joining a Windows 10 Mobile device to Azure AD provides many of the same benefits as joining desktop devices, such as: - -- Single sign-on (SSO) in applications like Mail, Word, and OneDrive using resources backed by Azure AD. - -- SSO in Microsoft Edge browser to Azure AD-connected web applications like Microsoft 365 admin center, Visual Studio, and more than [2500 non-Microsoft apps](https://go.microsoft.com/fwlink/p/?LinkID=746211). - -- SSO to resources on-premises. - -- Automatically enroll in your mobile device management (MDM) service. - -- Enable enterprise roaming of settings. (Not currently supported but on roadmap) - -- Use Microsoft Store for Business to target applications to users. - -## Are you upgrading current devices to Windows 10 Mobile? - - -Windows Phone 8.1 only supported the ability to connect the device to personal cloud services using a Microsoft account for authentication. This required creating Microsoft accounts to be used for work purposes. In Windows 10 Mobile, you have the ability to join devices directly to Azure AD without requiring a personal Microsoft account. - -If you have existing Windows Phone 8.1 devices, the first thing to understand is whether the devices you have can be upgraded to Windows 10 Mobile. Microsoft will be releasing more information about upgrade availability soon. As more information becomes available, it will be posted at [How to get Windows 10 Mobile]( https://go.microsoft.com/fwlink/p/?LinkId=746312). Premier Enterprise customers that have a business need to postpone Windows 10 Mobile upgrade should contact their Technical Account Manager to understand what options may be available. - -Before upgrading and joining devices to Azure AD, you will want to consider existing data usage. How users are using the existing devices and what data is stored locally will vary for every customer. Are text messages used for work purposes and need to be backed up and available after the upgrade? Are there photos stored locally or stored associated with an Microsoft account? Are there device and app settings that to be retained? Are there contacts stored in the SIM or associated with an Microsoft account? You will need to explore methods for capturing and storing the data that needs to be retained before you join the devices to Azure AD. Photos, music files, and documents stored locally on the device can be copied from the device using a USB connection to a PC. - -To join upgraded mobile devices to Azure AD, [the devices must be reset](reset-a-windows-10-mobile-device.md) to start the out-of-box experience for device setup. Joining a device to Azure AD is not a change that can be done while maintaining existing user data. This is similar to changing a device from personally owned to organizationally owned. When a user joins an organization’s domain, the user is then required to log in as the domain user and start with a fresh user profile. A new user profile means there would not be any persisted settings, apps, or data from the previous personal profile. - -If you want to avoid the device reset process, consider [adding work accounts](#add-work-account) rather than joining the devices to Azure AD. - -## The difference between "Add work account" and "Azure AD Join" - - -Even though Azure AD Join on Windows 10 Mobile provides the best overall experience, there are two ways that you can use an added work account instead of joining the device to Azure AD due to organizational requirements. - -- You can complete OOBE using the **Sign in later** option. This lets you start using Windows 10 Mobile with any connected Azure AD account or Microsoft account. - -- You can add access to Azure AD-backed resources on the device without resetting the device. - -However, neither of these methods provides SSO in the Microsoft Store or SSO to resources on-premises, and does not provide the ability to roam settings based on the Azure AD account using enterprise roaming. [Learn about enterprise state roaming in Azure AD.](/azure/active-directory/devices/enterprise-state-roaming-overview) - -Using **Settings** > **Accounts** > **Your email and accounts** > **Add work or school account**, users can add their Azure AD account to the device. Alternatively, a work account can be added when the user signs in to an application like Mail, Word, etc. If you [enable auto-enrollment in your MDM settings](https://go.microsoft.com/fwlink/p/?LinkID=691615), the device will automatically be enrolled in MDM. - -An added work account provides the same SSO experience in browser apps like Office 365 (Office portal, Outlook on the web, Calendar, People, OneDrive), Azure AD profile and change password app, and Visual Studio. You get SSO to built-in applications like Mail, Calendar, People, OneDrive and files hosted on OneDrive without prompts for a password. In Office apps like Microsoft Word, Microsoft Excel, etc., you simply select the Azure AD account and you are able to open files without entering a password. - -## Preparing for Windows 10 Mobile - - -- **Azure AD configuration** - - Currently, Azure AD Join only supports self-provisioning, meaning the credentials of the user of the device must be used during the initial setup of the device. If your mobile operator prepares devices on your behalf, this will impact your ability to join the device to Azure AD. Many IT administrators may start with a desire to set up devices for their employees, but the Azure AD Join experience is optimized for end-users, including the option for automatic MDM enrollment. - - By default, Azure AD is set up to allow devices to join and to allow users to use their corporate credentials on organizational-owned devices or personal devices. The blog post [Azure AD Join on Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkID=616791) has more information on where you can review your Azure AD settings. You can configure Azure AD to not allow anyone to join, to allow everyone in your organization to join, or you can select specific Azure AD groups which are allowed to join. - -- **Device setup** - - A device running Windows 10 Mobile can only join Azure AD during OOBE. New devices from mobile operators will be in this state when they are received. Windows Phone 8.1 devices that are [upgraded](#bkmk-upgrade) to Windows 10 Mobile will need to be reset to get back to OOBE for device setup. - -- **Mobile device management** - - An MDM service is required for managing Azure AD-joined devices. You can use MDM to push settings to devices, as well as application and certificates used by VPN, Wi-Fi, etc. Azure AD Premium or [Enterprise Mobility Suite (EMS)](https://go.microsoft.com/fwlink/p/?LinkID=723984) licenses are required to set up your Azure AD-joined devices to automatically enroll in MDM. [Learn more about setting up your Azure AD tenant for MDM auto-enrollment.](https://go.microsoft.com/fwlink/p/?LinkID=691615) - -- **Windows Hello** - - Creating a Windows Hello (PIN) is required on Windows 10 Mobile by default and cannot be disabled. You can control Windows Hello policies using controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Biometrics such as fingerprint or iris can be used for authentication. Creating a Windows Hello requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Windows Hello for Azure AD.](/windows/security/identity-protection/hello-for-business/hello-identity-verification) - -- **Conditional access** - - Conditional access policies are also applicable to Windows 10 Mobile. Multifactor authentication and device compliance policies can be applied to users or resources and require that the user or device satisfies these requirements before access to resources is allowed. Policies like **Domain Join** which support traditional domain joining only apply to desktop PC. Policies dependent on IP range will be tough to enforce on a phone as the IP address of the operator is used unless the user has connected to corporate Wi-Fi or a VPN. - -- **Known issues** - - - The apps for **Device backup and restore** and to sync photos to OneDrive only work with the Microsoft account as the primary account—these apps won’t work on devices joined to Azure AD. - - - **Find my Phone** will work depending on how you add a Microsoft account to the device—for example, the Cortana application will sign in with your Microsoft account in a way that makes **Find my Phone** work. Cortana and OneNote both work with Azure AD accounts but must be set up with a Microsoft account first. - - - OneNote requires the user to sign in with a Microsoft account but will also provide access to Notebooks using the Azure AD account. - - - If your organization is configured to federate with Azure AD, your federation proxy will need to be Active Directory Federation Services (ADFS) or a 3rd party which supports WS-Trust endpoints just like ADFS does. - -## How to join Windows 10 Mobile to Azure AD - - -1. During OOBE, on the **Keep your life in sync** screen, choose the option **Sign in with a work account**, and then tap **Next**. - - ![choose how to sign in](images/aadj1.jpg) - -2. Enter your Azure AD account. If your Azure AD account is federated, you will be redirected to your organization's sign-in page; if not, you enter your password here. - - ![sign in](images/aadj2.jpg) - - If you are taken to your organization's sign-in page, you may be required to provide a second factor of authentication. - - ![multi-factor authentication](images/aadj3.jpg) - -3. After authentication completes, the device registration is complete. If your MDM service has a terms of use page, it would be seen here as well. Federated users are required to provide a password again to complete the authentication to Windows. Users with passwords managed in the cloud will not see this additional authentication prompt. This federated login requires your federation server to support a WS-Trust active endpoint. - - ![enter password](images/aadj4.jpg) - -4. Next, you set up a PIN. - - ![set up a pin](images/aadjpin.jpg) - - **Note**  To learn more about the PIN requirement, see [Why a PIN is better than a password](/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password). - -   - -**To verify Azure AD join** - -- Go to **Settings** > **Accounts** > **Your email and accounts**. You will see your Azure AD account listed at the top and also listed as an account used by other apps. If auto-enrollment into MDM was configured, you will see in **Settings** > **Accounts** > **Work Access** that the device is correctly enrolled in MDM. If the MDM is pushing a certificate to be used by VPN, then **Settings** > **Network & wireless** > **VPN** will show the ability to connect to your VPN. - - ![verify that device joined azure ad](images/aadjverify.jpg) - -## Set up mail and calendar - - -Setting up email on your Azure AD joined device is simple. Launching the **Mail** app brings you to the **Accounts** page. Most users will have their email accounts hosted in Office 365 and will automatically start syncing. Just tap **Ready to go**. - -![email ready to go](images/aadjmail1.jpg) - -When email is hosted in on-premises Exchange, the user must provide credentials to establish a basic authentication connection to the Exchange server. Tap **Add account** to see the types of mail accounts you can add, including your Azure AD account. - -![email add an account](images/aadjmail2.jpg) - -After you select an account type, you provide credentials to complete setup for that mailbox. - -![set up email account](images/aadjmail3.jpg) - -Setup for the **Calendar** app is similar. Open the app and you'll see your Azure AD account listed -- just tap **Ready to go**. - -![calendar ready to go](images/aadjcal.jpg) - -Return to **Settings** > **Accounts** > **Your email and accounts**, and you will see your Azure AD account listed for **Email, calendar, and contacts**. - -![email, calendar, and contacts](images/aadjcalmail.jpg) - -## Use Office and OneDrive apps - - -Office applications like Microsoft Word and Microsoft PowerPoint will automatically sign you in with your Azure AD account. When you open an Office app, you see a screen that allows you to choose between a Microsoft account and Azure AD account. Office shows this screen while it is automatically signing you in, so just be patient for a couple seconds and Office will automatically sign you in using your Azure AD account. - -Microsoft Word automatically shows the documents recently opened on other devices. Opening a document allows you to jump straight to the same section you were last editing on another device. - -![word](images/aadjword.jpg) - -Microsoft PowerPoint shows your recently opened slide decks. - -![powerpoint](images/aadjppt.jpg) - -The OneDrive application also uses SSO, showing you all your documents and enabling you to open them without any authentication experience. - -![onedrive](images/aadjonedrive.jpg) - -In addition to application SSO, Azure AD joined devices also get SSO for browser applications which trust Azure AD, such as web applications, Visual Studio, Microsoft 365 admin center, and OneDrive for Business. - -![browser apps](images/aadjbrowser.jpg) - -OneNote requires a Microsoft account, but you can use it with your Azure AD account as well. - -![sign in to onenote](images/aadjonenote.jpg) - -After you sign in to OneNote, go to Settings > Accounts, and you will see that your Azure AD account is automatically added. - -![onenote settings](images/aadjonenote2.jpg) - -To see the Notebooks that your Azure AD account has access to, tap **More Notebooks** and select the Notebook you want to open. - -![see more notebooks](images/aadjonenote3.jpg) - -## Use Microsoft Store for Business - - -[Microsoft Store for Business](/microsoft-store/index) allows you to specify applications to be available to your users in the Microsoft Store application. These applications show up on a tab titled for your company. Applications approved in the Microsoft Store for Business portal can be installed by users. - -![company tab on store](images/aadjwsfb.jpg) - -  - -  \ No newline at end of file diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md index f725f87044..4fc41d68c1 100644 --- a/windows/client-management/manage-corporate-devices.md +++ b/windows/client-management/manage-corporate-devices.md @@ -36,7 +36,6 @@ You can use the same management tools to manage all device types running Windows | [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 | | [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education | | [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) | Changes to the Group Policy settings that you use to manage Start | -| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | How to plan for and deploy Windows 10 Mobile devices | | [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations | diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index e84a683f15..68f4b045a0 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -73,9 +73,7 @@ Defines restrictions for applications. > [!NOTE] > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. -> -> In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps. -> + > Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node. > [!NOTE] @@ -83,8 +81,6 @@ Defines restrictions for applications. Additional information: -- [Find publisher and product name of apps](#productname) - step-by-step guide for getting the publisher and product names for various Windows apps. - **AppLocker/ApplicationLaunchRestrictions/_Grouping_** Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. @@ -262,25 +258,6 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. -## Find publisher and product name of apps - - -You can pair a Windows Phone (Windows 10 Mobile, version 1511) to your desktop using the Device Portal on the phone to get the various types of information, including publisher name and product name of apps installed on the phone. This procedure describes pairing your phone to your desktop using WiFi. - -If this procedure does not work for you, try the other methods for pairing described in [Device Portal for Mobile](/windows/uwp/debug-test-perf/device-portal-mobile). - -**To find Publisher and PackageFullName for apps installed on Windows 10 Mobile** - -1. On your Windows Phone, go to **Settings**. Choose **Update & security**. Then choose **For developers**. -2. Choose **Developer mode**. -3. Turn on **Device discovery**. -4. Turn on **Device Portal** and keep **AuthenticationOn**. -5. Under the **Device Portal**, under **Connect using: WiFi**, copy the URL to your desktop browser to connect using WiFi. - - If you get a certificate error, continue to the web page. - - If you get an error about not reaching the web page, then you should try the other methods for pairing described in [Device Portal for Mobile](/windows/uwp/debug-test-perf/device-portal-mobile). - 6. On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive). 7. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**. @@ -293,11 +270,11 @@ If this procedure does not work for you, try the other methods for pairing descr ![device portal app manager](images/applocker-screenshot3.png) -10. If you do not see the app that you want, look under **Installed apps**. Using the drop down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. +10. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. ![app manager](images/applocker-screenshot2.png) -The following table show the mapping of information to the AppLocker publisher rule field. +The following table shows the mapping of information to the AppLocker publisher rule field. @@ -324,7 +301,7 @@ The following table show the mapping of information to the AppLocker publisher r +

HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.

Version

Version

This can be used either in the HighSection or LowSection of the BinaryVersionRange.

-

HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.
@@ -417,7 +394,7 @@ Result ## Settings apps that rely on splash apps -When you create a list of allowed apps in Windows 10 Mobile, you must also include the subset of Settings apps that rely on splash apps in your list of allowed apps. These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps . +These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps. The product name is first part of the PackageFullName followed by the version number. @@ -566,7 +543,7 @@ The following list shows the apps that may be included in the inbox. Microsoft.AccountsControl -Enterprise install app +Enterprise installs app da52fa01-ac0f-479d-957f-bfe4595941cb @@ -811,7 +788,7 @@ The following list shows the apps that may be included in the inbox. -Sign-in for Windows 10 Holographic +Sign in for Windows 10 Holographic WebAuthBridgeInternetSso, WebAuthBridgeInternet, WebAuthBridgeIntranetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternet, WebAuthBrokerIntranetSso, SignIn @@ -1015,11 +992,6 @@ The following example disables the Mixed Reality Portal. In the example, the **I ``` -The following example for Windows 10 Mobile denies all apps and allows the following apps: - -- [settings app that rely on splash apps](#settingssplashapps) -- most of the [inbox apps](#inboxappsandcomponents), but not all. - In this example, **MobileGroup0** is the node name. We recommend using a GUID for this node. ```xml @@ -1476,7 +1448,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo ``` ## Example for Windows 10 Holographic for Business -The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable to enable a working device, as well as Settings. +The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, as well as Settings. ```xml diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 2864971440..f19bba4d59 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -23,7 +23,7 @@ The BitLocker configuration service provider (CSP) is used by the enterprise to A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns the setting configured by the admin. -For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength). +For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength). The following shows the BitLocker configuration service provider in tree format. ``` @@ -64,7 +64,6 @@ Allows the administrator to require storage card encryption on the device. This Enterprise Education Mobile - Mobile Enterprise cross mark @@ -122,7 +121,6 @@ Allows the administrator to require encryption to be turned on by using BitLocke Enterprise Education Mobile - Mobile Enterprise cross mark @@ -189,7 +187,6 @@ Allows you to set the default encryption method for each of the different drive Enterprise Education Mobile - Mobile Enterprise cross mark @@ -274,7 +271,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Require addition Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -283,7 +280,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Require addition check mark check mark cross mark - cross mark + @@ -382,7 +379,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Configure minimu Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -391,7 +388,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Configure minimu check mark check mark cross mark - cross mark + @@ -459,7 +456,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-bo Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -468,7 +465,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-bo check mark check mark cross mark - cross mark + @@ -485,7 +482,7 @@ ADMX Info: > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). -This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. +This setting lets you configure the entire recovery message or replace the existing URL that is displayed on the pre-boot key recovery screen when the OS drive is locked. If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). @@ -548,7 +545,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLo Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -557,7 +554,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLo check mark check mark cross mark - cross mark + @@ -645,7 +642,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLo Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -654,7 +651,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLo check mark check mark cross mark - cross mark + @@ -751,7 +748,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Deny write acces Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -760,7 +757,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Deny write acces check mark check mark cross mark - cross mark + @@ -820,7 +817,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Deny write acces Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -829,7 +826,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Deny write acces check mark check mark cross mark - cross mark + @@ -905,7 +902,7 @@ Allows the admin to disable the warning prompt for other disk encryption on the Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -914,7 +911,7 @@ Allows the admin to disable the warning prompt for other disk encryption on the check mark check mark cross mark - cross mark + @@ -969,7 +966,7 @@ If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDe Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -978,7 +975,7 @@ If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDe check mark check mark cross mark - cross mark + @@ -1024,7 +1021,7 @@ This setting initiates a client-driven recovery password refresh after an OS dri Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -1033,7 +1030,7 @@ This setting initiates a client-driven recovery password refresh after an OS dri check mark check mark cross mark - cross mark + @@ -1079,7 +1076,7 @@ Each server-side recovery key rotation is represented by a request ID. The serve Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -1088,7 +1085,7 @@ Each server-side recovery key rotation is represented by a request ID. The serve check mark check mark cross mark - cross mark + @@ -1124,7 +1121,7 @@ This node reports compliance state of device encryption on the system. Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -1133,7 +1130,7 @@ This node reports compliance state of device encryption on the system. check mark check mark cross mark - cross mark + @@ -1192,7 +1189,7 @@ Status code can be one of the following: Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -1201,7 +1198,7 @@ Status code can be one of the following: check mark check mark cross mark - cross mark + @@ -1227,7 +1224,7 @@ This node needs to be queried in synchronization with RotateRecoveryPasswordsSta Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -1236,7 +1233,7 @@ This node needs to be queried in synchronization with RotateRecoveryPasswordsSta check mark check mark cross mark - cross mark + diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md index 028007ccce..f01490c427 100644 --- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md +++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md @@ -61,7 +61,6 @@ Cache-Control: no-cache 101 10.0.0.0 3.0 - WindowsPhone 10.0.0.0 Certificate @@ -353,12 +352,8 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol 49015420323756 Full - - WindowsPhone - - - 10.0.0.0 - + + 7BA748C8-703E-4DF2-A74A-92984117346A diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 3227294e86..90f132759c 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -41,7 +41,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -50,7 +49,6 @@ Additional lists: cross mark cross mark cross mark - cross mark @@ -69,7 +67,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -78,7 +75,6 @@ Additional lists: check mark4 check mark4 cross mark - cross mark @@ -97,7 +93,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -106,7 +101,6 @@ Additional lists: check mark check mark check mark - check mark @@ -125,7 +119,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -134,7 +127,6 @@ Additional lists: cross mark cross mark cross mark - cross mark @@ -153,7 +145,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -162,7 +153,6 @@ Additional lists: check mark check mark check mark - check mark @@ -181,7 +171,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark6 @@ -190,7 +179,6 @@ Additional lists: check mark6 check mark6 check mark6 - check mark6 @@ -209,7 +197,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -218,7 +205,6 @@ Additional lists: check mark check mark check mark - check mark @@ -237,7 +223,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -246,7 +231,6 @@ Additional lists: check mark check mark cross mark - cross mark @@ -265,7 +249,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -274,7 +257,6 @@ Additional lists: check mark check mark check mark - check mark @@ -293,7 +275,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -302,7 +283,6 @@ Additional lists: check mark2 check mark2 check mark2 - check mark2 @@ -321,7 +301,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -330,7 +309,6 @@ Additional lists: cross mark cross mark cross mark - cross mark @@ -349,7 +327,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark3 @@ -358,7 +335,6 @@ Additional lists: check mark3 check mark3 check mark - check mark @@ -377,7 +353,7 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -386,7 +362,6 @@ Additional lists: cross mark cross mark check mark1 - check mark1 @@ -405,7 +380,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark2 @@ -414,7 +388,6 @@ Additional lists: check mark2 check mark2 check mark - check mark @@ -433,7 +406,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark3 @@ -442,7 +414,6 @@ Additional lists: check mark3 check mark3 check mark - check mark @@ -461,7 +432,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark2 @@ -470,7 +440,6 @@ Additional lists: check mark2 check mark2 check mark - check mark @@ -489,7 +458,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -498,7 +466,6 @@ Additional lists: check mark check mark check mark - check mark @@ -517,7 +484,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -526,7 +492,6 @@ Additional lists: check mark2 check mark2 cross mark - cross mark @@ -545,7 +510,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -554,7 +518,6 @@ Additional lists: check mark check mark check mark - check mark @@ -573,7 +536,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -582,7 +544,6 @@ Additional lists: cross mark cross mark cross mark - cross mark @@ -601,7 +562,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -610,7 +570,6 @@ Additional lists: check mark check mark check mark - check mark @@ -629,7 +588,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -638,7 +596,6 @@ Additional lists: check mark check mark check mark - check mark @@ -657,7 +614,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -666,7 +622,6 @@ Additional lists: check mark check mark cross mark - cross mark @@ -685,7 +640,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -694,7 +648,6 @@ Additional lists: check mark check mark check mark - check mark @@ -713,7 +666,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -722,7 +674,6 @@ Additional lists: check mark check mark check mark - check mark @@ -741,7 +692,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -750,7 +700,6 @@ Additional lists: cross mark cross mark cross mark - cross mark @@ -769,7 +718,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -778,7 +726,6 @@ Additional lists: cross mark cross mark check mark - check mark @@ -797,7 +744,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -806,7 +752,6 @@ Additional lists: cross mark cross mark check mark - check mark @@ -825,7 +770,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -853,7 +797,7 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise + check mark @@ -881,8 +825,7 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise - + check mark check mark @@ -890,7 +833,6 @@ Additional lists: check mark check mark check mark - check mark @@ -909,7 +851,7 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -918,7 +860,6 @@ Additional lists: check mark2 check mark2 check mark3 - check mark3 @@ -937,7 +878,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -946,7 +886,6 @@ Additional lists: check mark check mark check mark - check mark @@ -965,7 +904,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark6 @@ -974,7 +912,6 @@ Additional lists: check mark6 check mark6 cross mark - cross mark @@ -993,7 +930,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark2 @@ -1002,7 +938,6 @@ Additional lists: check mark2 check mark2 check mark - check mark @@ -1021,7 +956,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1030,7 +964,6 @@ Additional lists: cross mark cross mark check mark - check mark @@ -1049,7 +982,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1058,7 +990,6 @@ Additional lists: check mark2 check mark2 cross mark - cross mark @@ -1077,7 +1008,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1086,7 +1016,6 @@ Additional lists: cross mark cross mark check mark - check mark @@ -1105,7 +1034,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -1115,7 +1043,6 @@ Additional lists: check mark check mark check mark - check mark @@ -1134,7 +1061,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1162,7 +1088,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1171,7 +1096,6 @@ Additional lists: cross mark cross mark check mark - check mark @@ -1190,7 +1114,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1199,7 +1122,6 @@ Additional lists: cross mark cross mark check mark - check mark @@ -1218,7 +1140,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -1227,7 +1148,6 @@ Additional lists: check mark check mark check mark - check mark @@ -1246,7 +1166,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise @@ -1255,7 +1174,6 @@ Additional lists: check mark3 check mark3 check mark3 - check mark3 @@ -1274,7 +1192,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1283,7 +1200,6 @@ Additional lists: cross mark cross mark check mark (Provisioning only) - check mark (Provisioning only) @@ -1302,7 +1218,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1311,7 +1226,6 @@ Additional lists: check mark3 check mark3 cross mark - cross mark @@ -1330,7 +1244,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -1339,7 +1252,6 @@ Additional lists: check mark check mark check mark - check mark @@ -1358,7 +1270,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1367,7 +1278,6 @@ Additional lists: cross mark cross mark check mark - check mark @@ -1386,7 +1296,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1395,7 +1304,6 @@ Additional lists: cross mark cross mark check mark - check mark @@ -1414,7 +1322,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1423,7 +1330,6 @@ Additional lists: cross mark cross mark check mark2 - check mark2 @@ -1442,7 +1348,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark4 @@ -1451,7 +1356,6 @@ Additional lists: check mark4 check mark4 check mark4 - check mark4 @@ -1470,7 +1374,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1479,7 +1382,6 @@ Additional lists: check mark check mark check mark - check mark @@ -1498,7 +1400,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1507,7 +1408,6 @@ Additional lists: check mark check mark check mark - check mark @@ -1526,7 +1426,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1535,7 +1434,6 @@ Additional lists: check mark2 check mark2 check mark2 - check mark2 @@ -1554,7 +1452,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -1563,7 +1460,6 @@ Additional lists: check mark check mark check mark - check mark @@ -1582,7 +1478,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -1591,7 +1486,6 @@ Additional lists: check mark check mark check mark - check mark @@ -1610,7 +1504,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1619,7 +1512,6 @@ Additional lists: check mark2 check mark2 cross mark - cross mark @@ -1638,7 +1530,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -1647,7 +1538,6 @@ Additional lists: check mark check mark check mark - check mark @@ -1666,7 +1556,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1675,7 +1564,6 @@ Additional lists: check mark check mark check mark - check mark @@ -1694,7 +1582,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -1703,7 +1590,6 @@ Additional lists: check mark check mark check mark - check mark @@ -1722,7 +1608,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1731,7 +1616,6 @@ Additional lists: check mark2 check mark2 cross mark - cross mark @@ -1750,7 +1634,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -1759,7 +1642,6 @@ Additional lists: check mark check mark check mark - check mark @@ -1778,7 +1660,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1787,7 +1668,6 @@ Additional lists: cross mark cross mark check mark - check mark @@ -1806,7 +1686,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark (Provisioning only) @@ -1815,7 +1694,6 @@ Additional lists: check mark (Provisioning only) check mark (Provisioning only) check mark (Provisioning only) - check mark (Provisioning only) @@ -1834,7 +1712,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1843,7 +1720,6 @@ Additional lists: check mark check mark check mark - check mark @@ -1862,7 +1738,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1871,7 +1746,6 @@ Additional lists: cross mark cross mark check mark - check mark @@ -1890,7 +1764,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1899,7 +1772,6 @@ Additional lists: check mark check mark check mark - check mark @@ -1918,7 +1790,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1927,7 +1798,6 @@ Additional lists: cross mark cross mark check mark - check mark @@ -1946,7 +1816,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1955,7 +1824,6 @@ Additional lists: cross mark cross mark check mark - check mark @@ -1974,7 +1842,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -1983,7 +1850,6 @@ Additional lists: check mark check mark check mark - check mark @@ -2002,7 +1868,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -2011,7 +1876,6 @@ Additional lists: check mark check mark check mark - check mark @@ -2030,7 +1894,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -2039,7 +1902,6 @@ Additional lists: check mark check mark check mark - check mark @@ -2058,7 +1920,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2067,7 +1928,6 @@ Additional lists: check mark check mark check mark - check mark @@ -2086,7 +1946,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2095,7 +1954,6 @@ Additional lists: check mark1 check mark1 cross mark - cross mark @@ -2114,7 +1972,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -2123,7 +1980,6 @@ Additional lists: check mark check mark check mark - check mark @@ -2142,7 +1998,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2151,7 +2006,6 @@ Additional lists: check mark1 check mark1 cross mark - cross mark @@ -2170,7 +2024,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2179,7 +2032,6 @@ Additional lists: check mark check mark check mark - check mark @@ -2198,7 +2050,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise @@ -2226,7 +2077,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2235,7 +2085,6 @@ Additional lists: check mark5 check mark5 cross mark - cross mark @@ -2254,7 +2103,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2263,7 +2111,6 @@ Additional lists: check mark check mark check mark - check mark @@ -2282,7 +2129,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2291,7 +2137,6 @@ Additional lists: check mark4 check mark4 cross mark - cross mark @@ -2310,7 +2155,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2319,7 +2163,6 @@ Additional lists: check mark check mark cross mark - cross mark @@ -2338,7 +2181,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -2347,7 +2189,6 @@ Additional lists: check mark check mark check mark - check mark @@ -2366,7 +2207,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2375,7 +2215,6 @@ Additional lists: cross mark cross mark check mark - check mark @@ -2394,7 +2233,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -2403,7 +2241,6 @@ Additional lists: check mark check mark check mark - check mark @@ -2422,7 +2259,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise @@ -2450,7 +2286,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -2459,7 +2294,6 @@ Additional lists: check mark check mark check mark - check mark @@ -2478,7 +2312,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2487,7 +2320,6 @@ Additional lists: check mark1 check mark1 cross mark - cross mark @@ -2506,7 +2338,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2515,7 +2346,6 @@ Additional lists: check mark5 check mark5 cross mark - cross mark @@ -2534,7 +2364,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2543,7 +2372,6 @@ Additional lists: check mark1 check mark1 cross mark - cross mark @@ -2562,7 +2390,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2570,8 +2397,7 @@ Additional lists: check mark3 check mark3 check mark3 - cross mark - cross mark + cross mark> @@ -2591,7 +2417,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -2600,7 +2425,6 @@ Additional lists: check mark check mark check mark - check mark @@ -2619,7 +2443,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2628,7 +2451,6 @@ Additional lists: cross mark cross mark check mark - check mark @@ -2647,7 +2469,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2656,7 +2477,6 @@ Additional lists: check mark5 check mark5 check mark5 - check mark5 @@ -2675,7 +2495,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index 25be11c21b..717e018b44 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -189,28 +189,7 @@ The XML below is the current version for this CSP. text/plain - - - SwV - - - - - Returns the Windows Phone OS software version. - - - - - - - - - - - text/plain - - - + HwV diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index e2a6fc0027..8e886f3661 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -19,13 +19,13 @@ ms.date: 11/15/2017 >[!TIP] >If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq). -In the current device landscape of PC, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we are investing heavily in extending the management capabilities available to MDMs. One key feature we are adding is the ability for MDMs to keep devices up-to-date with the latest Microsoft updates. +In the current device landscape of PC, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we are investing heavily in extending the management capabilities available to MDMs. One key feature we are adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates. In particular, Windows 10 provides APIs to enable MDMs to: -- Ensure machines stay up-to-date by configuring Automatic Update policies. +- Ensure machines stay up to date by configuring Automatic Update policies. - Test updates on a smaller set of machines before enterprise-wide rollout by configuring which updates are approved for a given device. -- Get compliance status of managed devices so IT can easily understand which machines still need a particular security patch, or how up-to-date is a particular machine. +- Get compliance status of managed devices so IT can easily understand which machines still need a particular security patch, or how up to date is a particular machine. This topic provides MDM independent software vendors (ISV) with the information they need to implement update management in Windows 10. @@ -34,7 +34,7 @@ In Windows 10, the MDM protocol has been extended to better enable IT admins to - Configure automatic update policies to ensure devices stay up-to-date. - Get device compliance information (the list of updates that are needed but not yet installed). - Specify a per-device update approval list, to ensure devices don’t install unapproved updates that have not been tested. -- Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs. +- Approve EULAs on behalf of the end user so update deployment can be automated even for updates with EULAs. The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the update’s title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c). @@ -80,7 +80,7 @@ The response of the GetUpdateData call returns an array of ServerSyncUpdateData - **UpdateID** – The unique identifier for an update - **RevisionNumber** – Revision number for the update in case the update was modified. - **CreationDate** – the date on which this update was created. -- **UpdateType** – The type of update which could include the following: +- **UpdateType** – The type of update, which could include the following: - **Detectoid** – if this update identity represents a compatibility logic - **Category** – This could represent either of the following: - A Product category the update belongs to. For example, Windows, MS office etc. @@ -107,7 +107,7 @@ First some background: The following procedure describes a basic algorithm for a metadata sync service: - Initialization, composed of the following: - 1. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since those are temporary in nature (for example, Defender releases about 4 new definition updates per day, each of which is cumulative). + 1. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since those are temporary in nature (for example, Defender releases about four new definition updates per day, each of which is cumulative). - Sync periodically (we recommend once every 2 hours - no more than once/hour). 1. Implement the authorization phase of the protocol to get a cookie if you don’t already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). 2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and: @@ -130,7 +130,7 @@ The following list describes a suggested model for applying updates. 1. Have a "Test Group" and an "All Group". 2. In the Test group, just let all updates flow. -3. In the All Group, set up Quality Update deferral for 7 days and then Quality Updates will be auto approved after the 7 days. Note that Definition Updates are excluded from Quality Update deferrals and will be auto approved when they are availible. This can be done by setting Update/DeferQualityUpdatesPeriodInDays to 7 and just letting updates flow after seven days or pushing Pause in case of issues. +3. In the All Group, set up Quality Update deferral for 7 days and then Quality Updates will be auto approved after the 7 days. Note that Definition Updates are excluded from Quality Update deferrals and will be auto approved when they are available. This can be done by setting Update/DeferQualityUpdatesPeriodInDays to 7 and just letting updates flow after seven days or pushing Pause in case of issues. Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md). Please refer to these topics for details on configuring updates. @@ -144,7 +144,7 @@ The following diagram shows the Update policies in a tree format. **Update/ActiveHoursEnd** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. @@ -158,8 +158,7 @@ The following diagram shows the Update policies in a tree format. **Update/ActiveHoursMaxRange** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.

Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. @@ -169,7 +168,7 @@ The following diagram shows the Update policies in a tree format. **Update/ActiveHoursStart** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.

Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. @@ -183,7 +182,7 @@ The following diagram shows the Update policies in a tree format. **Update/AllowAutoUpdate** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.

Enables the IT admin to manage automatic update behavior to scan, download, and install updates. @@ -219,10 +218,10 @@ The following diagram shows the Update policies in a tree format. **Update/AllowNonMicrosoftSignedUpdate** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education. -

Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. +

Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third party software and patch distribution.

Supported operations are Get and Replace. @@ -231,11 +230,11 @@ The following diagram shows the Update policies in a tree format. - 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. - 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. -

This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. +

This policy is specific to desktop and local publishing via WSUS for third party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. **Update/AllowUpdateService** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft. @@ -255,7 +254,7 @@ The following diagram shows the Update policies in a tree format. **Update/AutoRestartNotificationSchedule** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. @@ -266,10 +265,10 @@ The following diagram shows the Update policies in a tree format. **Update/AutoRestartRequiredNotificationDismissal** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. +

Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.

The following list shows the supported values: @@ -278,7 +277,7 @@ The following diagram shows the Update policies in a tree format. **Update/BranchReadinessLevel** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. @@ -291,8 +290,6 @@ The following diagram shows the Update policies in a tree format. **Update/DeferFeatureUpdatesPeriodInDays** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. ->

Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. -

Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. @@ -300,7 +297,7 @@ The following diagram shows the Update policies in a tree format. **Update/DeferQualityUpdatesPeriodInDays** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. @@ -309,20 +306,15 @@ The following diagram shows the Update policies in a tree format. **Update/DeferUpdatePeriod** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. -

Allows IT Admins to specify update delays for up to 4 weeks. +

Allows IT Admins to specify update delays for up to four weeks.

Supported values are 0-4, which refers to the number of weeks to defer updates. -

In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following: - -- Update/RequireDeferUpgrade must be set to 1 -- System/AllowTelemetry must be set to 1 or higher -

If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.

If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. @@ -372,7 +364,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

Other/cannot defer

No deferral

No deferral

-

Any update category not specifically enumerated above falls into this category.

+

Any update category not enumerated above falls into this category.

Definition Update - E0789628-CE08-4437-BE74-2495B842F43B

@@ -388,7 +380,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. -

Allows IT Admins to specify additional upgrade delays for up to 8 months. +

Allows IT Admins to specify additional upgrade delays for up to eight months.

Supported values are 0-8, which refers to the number of months to defer upgrades. @@ -398,7 +390,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/EngagedRestartDeadline** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling). @@ -409,25 +401,25 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/EngagedRestartSnoozeSchedule** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.

Supported values are 1-3 days. -

The default value is 3 days. +

The default value is three days. **Update/EngagedRestartTransitionSchedule** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.

Supported values are 2-30 days. -

The default value is 7 days. +

The default value is seven days. **Update/ExcludeWUDriversInQualityUpdate** > [!NOTE] @@ -485,12 +477,12 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/PauseDeferrals** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. -

Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. +

Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.

The following list shows the supported values: @@ -504,8 +496,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/PauseFeatureUpdates** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. ->

Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. -

Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. @@ -516,7 +506,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/PauseQualityUpdates** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. @@ -528,7 +518,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/RequireDeferUpgrade** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. @@ -543,7 +533,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/RequireUpdateApproval** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
@@ -562,7 +552,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/ScheduleImminentRestartWarning** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. @@ -573,7 +563,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/ScheduledInstallDay** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Enables the IT admin to schedule the day of the update installation. @@ -595,7 +585,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/ScheduledInstallTime** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Enables the IT admin to schedule the time of the update installation. @@ -610,10 +600,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/ScheduleRestartWarning** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications. +

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.

Supported values are 2, 4, 8, 12, or 24 (hours). @@ -621,10 +611,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/SetAutoRestartNotificationDisable** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. +

Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.

The following list shows the supported values: @@ -633,10 +623,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/UpdateServiceUrl** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > [!Important] -> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Enterprise. +> Starting in Windows 10, version 1703 this policy is not supported in IoT Enterprise.

Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. @@ -700,7 +690,7 @@ Node for update approvals and EULA acceptance on behalf of the end-user. The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. -The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (i.e., updates to the virus and spyware definitions on devices) and Security Updates (i.e., product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. +The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. > **Note**  For the Windows 10 build, the client may need to reboot after additional updates are added. @@ -895,21 +885,9 @@ Here is the list of older policies that are still supported for backward compati - Update/DeferUpdatePeriod - Update/PauseDeferrals -For Windows Update for Business, here is the list of supported policies on Windows 10 Mobile Enterprise: - -- For Windows 10, version 1511 (Build 10586): Update/RequireDeferUpgrade, Update/DeferUpdatePeriod and Update/PauseDeferrals. To use DeferUpdatePeriod and PauseDeferrals the RequireDeferUpgrade has to be set to 1, which essentially means for a device running 1511, the Windows Update for Business policies can only be set when a device is configured for CBB servicing. -- For Windows 10, version 1607 (Build 14393): Update/BranchReadinessLevel, Update/DeferQualityUpdatesPeriodInDays and Update/PauseQualityUpdates. In 1607 we added support where you can configure Windows Update for Business policies when a device is configured for CB/CBB servicing. - -> **Note**   -For policies supported for Windows Update for Business, when you set policies for both Windows 10, version 1607 and Windows 10, version 1511 running on 1607, then 1607 policies will be configured (1607 trumps 1511). - -For policies supported for Windows Update for Business, when you set 1511 policies on a device running 1607, the you will get the expected behavior for 1511 policies. - - - ## Update management user experience screenshot -The following screenshots of the administrator console shows the list of update titles, approval status, and additional metadata fields. +The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields. ![mdm update management screenshot](images/deviceupdatescreenshot1.png) diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index eff91fca3c..3bd7186d4f 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -40,12 +40,12 @@ mdmdiagnosticstool.exe -area DeviceEnrollment;DeviceProvisioning;Autopilot -cab - In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. ### Understanding cab structure -The cab file will have logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment,DeviceProvisioning and Autopilot areas. It applies to the cab files collected via command line or Feedback Hub +The cab file will have logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning and Autopilot areas. It applies to the cab files collected via command line or Feedback Hub - DiagnosticLogCSP_Collector_Autopilot_*: Autopilot etls - DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider) -- MDMDiagHtmlReport.html: Summary snapshot of MDM space configurations and policies. Includes, management url, MDM server device id, certificates, policies. -- MdmDiagLogMetadata,json: mdmdiagnosticstool metadata file, contains command line arguments used to run the tool +- MDMDiagHtmlReport.html: Summary snapshot of MDM space configurations and policies. Includes, management url, MDM server device ID, certificates, policies. +- MdmDiagLogMetadata, json: mdmdiagnosticstool metadata file, contains command-line arguments used to run the tool - MDMDiagReport.xml: contains a more detail view into the MDM space configurations, e.g enrollment variables - MdmDiagReport_RegistryDump.reg: contains dumps from common MDM registry locations - MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command @@ -133,10 +133,6 @@ Example: Export the Debug logs ``` - - diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 0c15cbd8fe..3615cb2e3f 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -141,7 +141,7 @@ manager: dansimp > [!NOTE] -> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. +> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. @@ -738,7 +738,7 @@ The following list shows the supported values for Windows 8.1: In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. The following list shows the supported values for Windows 10: - 0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender. - **Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), Hololens 2, and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. + **Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), Hololens 2, and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. - 1 – (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data. - 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data. - 3 – (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices. @@ -756,7 +756,7 @@ In Windows 10, you can configure this policy setting to decide what level of dia

0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.

-Note  This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. +Note  This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index fd7d92d8dd..94f7b317fd 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1715,11 +1715,6 @@ Allows IT Admins to specify update delays for up to 4 weeks. Supported values are 0-4, which refers to the number of weeks to defer updates. -In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following: - -- Update/RequireDeferUpgrade must be set to 1 -- System/AllowTelemetry must be set to 1 or higher - If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. @@ -3470,7 +3465,7 @@ Supported values are 15, 30, or 60 (minutes). > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications. @@ -3937,7 +3932,7 @@ ADMX Info: > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education Enables the IT admin to schedule the time of the update installation. @@ -4479,7 +4474,7 @@ ADMX Info: > [!IMPORTANT] -> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Mobile. +> Starting in Windows 10, version 1703 this policy is not supported in IoT Mobile. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 3aff9aac6c..58e9f7e4b9 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - WirelessDisplay - -
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 0ed48a5776..de9a8618a9 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -28611,30 +28611,6 @@ Related policy: - - AllowScreenTimeoutWhileLockedUserConfig - - - - - - - - Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. - - - - - - - - - - - text/plain - - - AllowSimpleDevicePassword @@ -28999,31 +28975,6 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - - ScreenTimeoutWhileLocked - - - - - - - - Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. - - - - - - - - - - - text/plain - - - - Display @@ -60350,30 +60301,6 @@ Related policy: LowestValueMostSecure - - AllowScreenTimeoutWhileLockedUserConfig - - - - - 0 - Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. - - - - - - - - - - - text/plain - - - LastWrite - - AllowSimpleDevicePassword @@ -60747,31 +60674,6 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor LastWrite - - ScreenTimeoutWhileLocked - - - - - 10 - Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. - - - - - - - - - - - text/plain - - - LastWrite - - - Display diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index 2c1db8dd46..9e7d8d762f 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -216,29 +216,6 @@ The XML below is the DDF for the current version for this CSP. - - HighAccPositioningMethod - - - - - - 0 - Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. - - - - - - - - - - - text/plain - - - LocMasterSwitchDependencyNII @@ -308,26 +285,6 @@ The XML below is the DDF for the current version for this CSP. - - RootCertificate - - - - - Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. - - - - - - - - - - - - - Name @@ -765,29 +722,6 @@ The XML below is the DDF for the current version for this CSP. - - PositioningMethod_MR - - - - - - 0 - Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. - - - - - - - - - - - text/plain - - - LocMasterSwitchDependencyNII diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index 51a1739756..d6b9110b32 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -67,15 +67,6 @@ Required. Specifies the address of the MMS application server, as a string. The **MS** Optional. The maximum authorized size, in KB, for multimedia content. This parameter takes a numeric value in string format. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized. -## Remarks - - -Windows Phone MMS does not support user–selectable profiles. While multiple MMS profiles can be provisioned and saved simultaneously, only the last received profile is active. - -If provisioning XML is received for a profile with an existing name, the values in that profile will be overwritten with the new values. - -For more information about the parameters used by the w4 APPLICATION configuration service provider and how they are used, see the OMA MMS Conformance Document (OMA-TS-MMS-CONF-V1\_3-20051027-C) available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900). - ## Related topics diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index 7b8cb3437e..baa67a10f6 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -146,54 +146,6 @@ The XML below is for Windows 10, version 1809. - - UpgradeEditionWithLicense - - - - - Provide a license for an edition upgrade of Windows 10 mobile devices. Does not require reboot. - - - - - - - - - - - - - - text/plain - - - - - LicenseKeyType - - - - - Returns the parameter type used by Windows 10 devices for an edition upgrade. Windows 10 desktop devices require a product key for an edition upgrade. Windows 10 mobile devices require a license for an edition upgrade. - - - - - - - - - - - - - - text/plain - - - CheckApplicability diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index d13f235344..793835661a 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -519,7 +519,6 @@ No new [Exchange ActiveSync policies](/exchange/mobile-device-mailbox-policies-e [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) -[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)   \ No newline at end of file diff --git a/windows/client-management/reset-a-windows-10-mobile-device.md b/windows/client-management/reset-a-windows-10-mobile-device.md deleted file mode 100644 index 8a41883885..0000000000 --- a/windows/client-management/reset-a-windows-10-mobile-device.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: Reset a Windows 10 Mobile device (Windows 10) -description: There are two methods for resetting a Windows 10 Mobile device factory reset and \ 0034;wipe and persist \ 0034; reset. -ms.assetid: B42A71F4-DFEE-4D6E-A904-7942D1AAB73F -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: mobile -author: dansimp -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Reset a Windows 10 Mobile device - - -**Applies to** - -- Windows 10 Mobile - -There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset. - -- **Factory reset** restores the state of the device back to its first-boot state plus any update packages. The reset will not return device to the original factory state. To return the device to the original factory state, you must flash it with the original factory image by using the [Windows Device Recovery Tool](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq). All the provisioning applied to the device by the enterprise will be lost and will need to be re-applied if needed. For details on what is removed or persists, see [Resetting a mobile device](https://go.microsoft.com/fwlink/p/?LinkID=703715). -- **"Wipe and persist" reset** preserves all the provisioning applied to the device before the reset. After the "wipe and persist" reset, all the preserved provisioning packages are automatically applied on the device and the data in the enterprise shared storage folder \\Data\\SharedData\\Enterprise\\Persistent is restored in that folder. For more information on the enterprise shared storage folder, see [EnterpriseExtFileSystem CSP](./mdm/enterpriseextfilessystem-csp.md). - -You can trigger a reset using your mobile device management (MDM) service, or a user can trigger a reset in the user interface (UI) or by using hardware buttons. - -## Reset using MDM - - -The remote wipe command is sent as an XML provisioning file to the device. Since the [RemoteWipe configuration service provider (CSP)](./mdm/remotewipe-csp.md) uses OMA DM and WAP, authentication between client and server and delivery of the XML provisioning file is handled by provisioning. The remote wipe command is implemented on the device by using the **ResetPhone** function. For more information about the data that is removed as a result of the remote wipe command, see [Resetting a mobile device](https://go.microsoft.com/fwlink/p/?LinkId=703715). - -To perform a factory reset, restoring the device back to its out-of-box state, use the following syncML. - -``` - - - - 3 - - ./Vendor/MSFT/RemoteWipe/DoWipe - - - - - -``` - -To perform a "wipe and persist" reset, preserving the provisioning applied to the device before the reset and persisting data files locally, use the following syncML. - -``` - - - - 3 - - ./Vendor/MSFT/RemoteWipe/DoWipePersistProvisionedData - - - - - -``` - -## Reset using the UI - - -1. On your mobile device, go to **Settings** > **System** > **About** > **Reset your Phone** - -2. When you tap **Reset your phone**, the dialog box will present an option to **Also remove provisioned content** if: - - - At least one provisioning package has been applied, or - - A file is present in the enterprise shared storage folder \\Data\\SharedData\\Enterprise\\Persistent. - - If the option to **Also remove provisioned content** is selected, the reset that ensues is a regular factory reset. If the option is not selected, a "wipe and persist" reset is performed. - -## Reset using hardware buttons - - -If your phone is unresponsive and you can't reach **Settings**, you may be able to reset your phone using the hardware buttons. Reset using hardware buttons does not give you the option to persist provisioned content. On Lumia phones (and some others), do the following to reset your phone: - -1. Press and hold the **Volume down** and **Power** buttons at the same time until you feel a vibration (about 10–15 seconds). - -2. When you feel the vibration, release the buttons, and then immediately press and hold the **Volume down** button until you see a large exclamation mark. - -3. When the exclamation mark appears, press the following four buttons in this order: **Volume up**, **Volume down**, **Power**, **Volume down**. Your phone should now reset and restart itself. (It might take a while for the reset to finish.) - -  - -  \ No newline at end of file diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index 4b43db4f1b..4f41f66ba5 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -12,8 +12,6 @@ items: href: mandatory-user-profile.md - name: Connect to remote Azure Active Directory-joined PC href: connect-to-remote-aadj-pc.md - - name: Join Windows 10 Mobile to Azure Active Directory - href: join-windows-10-mobile-to-azure-active-directory.md - name: New policies for Windows 10 href: new-policies-for-windows-10.md - name: Windows 10 default media removal policy @@ -24,12 +22,8 @@ items: href: manage-settings-app-with-group-policy.md - name: What version of Windows am I running href: windows-version-search.md - - name: Reset a Windows 10 Mobile device - href: reset-a-windows-10-mobile-device.md - name: Transitioning to modern management href: manage-windows-10-in-your-organization-modern-management.md - - name: Windows 10 Mobile deployment and management guide - href: windows-10-mobile-and-mdm.md - name: Windows libraries href: windows-libraries.md - name: Mobile device management (MDM) diff --git a/windows/deployment/images/configmgr-assets.png b/windows/deployment/images/configmgr-assets.png deleted file mode 100644 index ac315148c5..0000000000 Binary files a/windows/deployment/images/configmgr-assets.png and /dev/null differ diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 1faba01072..1179220486 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -854,11 +854,9 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF 6. When a popup dialog box asks if you want to run full discovery, click **Yes**. 7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): - ![assets](./images/configmgr-assets.png) +>If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console. - >If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console. - - The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next. +The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next. 8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists. Note: this command requires an elevated command prompt not an elevated Windows PowerShell prompt: