From 793d3189658dbc71ef053fefcde7a87e8824ef8d Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Tue, 22 Mar 2022 16:57:48 +0530 Subject: [PATCH 01/24] CSP - Windows 11 Updates The updates were made as per Task: 5825705. Thanks! --- .../mdm/accountmanagement-csp.md | 21 +++++++---- windows/client-management/mdm/accounts-csp.md | 29 ++++++++++----- .../client-management/mdm/activesync-csp.md | 35 +++++++++++-------- .../mdm/alljoynmanagement-csp.md | 21 ++++++----- .../client-management/mdm/application-csp.md | 29 +++++++-------- 5 files changed, 79 insertions(+), 56 deletions(-) diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index 5f2a7ff230..0c0b0e2501 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -13,8 +13,7 @@ manager: dansimp # AccountManagement CSP - -AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803. +AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803, and later. > [!NOTE] > The AccountManagement CSP is only supported in Windows Holographic for Business edition. @@ -41,7 +40,9 @@ Interior node. **UserProfileManagement/EnableProfileManager** Enable profile lifetime management for shared or communal device scenarios. Default value is false. -Supported operations are Add, Get,Replace, and Delete. Value type is bool. +Supported operations are Add, Get, Replace, and Delete. + +Value type is bool. **UserProfileManagement/DeletionPolicy** Configures when profiles will be deleted. Default value is 1. @@ -52,19 +53,25 @@ Valid values: - 1 - delete at storage capacity threshold - 2 - delete at both storage capacity threshold and profile inactivity threshold -Supported operations are Add, Get,Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. + +Value type is integer. **UserProfileManagement/StorageCapacityStartDeletion** Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first. Default value is 25. -Supported operations are Add, Get,Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. + +Value type is integer. **UserProfileManagement/StorageCapacityStopDeletion** Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles. Default value is 50. -Supported operations are Add, Get,Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. + +Value type is integer. **UserProfileManagement/ProfileInactivityThreshold** Start deleting profiles when they have not been logged on during the specified period, given as number of days. Default value is 30. -Supported operations are Add, Get,Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 1269c2797e..708435ef91 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -1,6 +1,6 @@ --- title: Accounts CSP -description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, as well as create local Windows accounts & joint them to a group. +description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, as well as create local Windows accounts & join them to a group. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -14,8 +14,7 @@ manager: dansimp # Accounts Configuration Service Provider -The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803. - +The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803, and later. The following shows the Accounts configuration service provider in tree format. @@ -30,6 +29,16 @@ Accounts ------------LocalUserGroup ``` +The following table shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + **./Device/Vendor/MSFT/Accounts** Root node. @@ -37,7 +46,10 @@ Root node. Interior node for the account domain information. **Domain/ComputerName** -This node specifies the DNS hostname for a device. This setting can be managed remotely, but note that this not supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters. +This node specifies the DNS hostname for a device. This setting can be managed remotely. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters. + +>[!Note] +> The ComputerName node is not supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. Available naming macros: @@ -55,15 +67,14 @@ Supported operation is Add. Interior node for the user account information. **Users/_UserName_** -This node specifies the username for a new local user account. This setting can be managed remotely. +This node specifies the username for a new local user account. This setting can be managed remotely. **Users/_UserName_/Password** -This node specifies the password for a new local user account. This setting can be managed remotely. +This node specifies the password for a new local user account. This setting can be managed remotely. -Supported operation is Add. -GET operation is not supported. This setting will report as failed when deployed from the Endpoint Manager. +Supported operation is Add. GET operation is not supported. This setting will report as failed when deployed from the Endpoint Manager. **Users/_UserName_/LocalUserGroup** -This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. +This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. Supported operation is Add. diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index e69eef0c44..352f05b5be 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -14,19 +14,16 @@ ms.date: 06/26/2017 # ActiveSync CSP - The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status. Configuring Windows Live ActiveSync accounts through this configuration service provider is not supported. > [!NOTE] -> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path. +> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path. -On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync path will work if the user is logged in. The CSP fails when no user is logged in. +On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the `./Vendor/MSFT/ActiveSync` path will work if the user is logged in. The CSP fails when no user is logged in. -The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term. - - +The `./Vendor/MSFT/ActiveSync path` is deprecated, but will continue to work in the short term. The following shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. @@ -62,17 +59,25 @@ ActiveSync ``` +The following table shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + **./User/Vendor/MSFT/ActiveSync** The root node for the ActiveSync configuration service provider. > [!NOTE] -> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path. +> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path. -On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in. +On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in. -The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term. - - +The `./Vendor/MSFT/ActiveSync` path is deprecated, but will continue to work in the short term. The supported operation is Get. @@ -86,7 +91,7 @@ Defines a specific ActiveSync account. A globally unique identifier (GUID) must Supported operations are Get, Add, and Delete. -When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and does not create the new account. +When managing over OMA DM, ensure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and does not create the new account. Braces { } are required around the GUID. In OMA Client Provisioning, you can type the braces. For example: @@ -264,7 +269,6 @@ Required. A character string that specifies the name of the content type. > [!NOTE] > In Windows 10, this node is currently not working. - Supported operations are Get, Replace, and Add (cannot Add after the account is created). When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected. @@ -275,7 +279,9 @@ Node for mail body type and email age filter. **Policies/MailBodyType** Required. Specifies the email body type: HTML or plain. -Value type is string. Supported operations are Add, Get, Replace, and Delete. +Value type is string. + +Supported operations are Add, Get, Replace, and Delete. **Policies/MaxMailAgeFilter** Required. Specifies the time window used for syncing mail items to the device. @@ -284,7 +290,6 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index 26bcc2dda6..c9aa7bdcde 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -14,17 +14,14 @@ ms.date: 06/26/2017 # AllJoynManagement CSP - -The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (com.microsoft.alljoynmanagement.config). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration. +The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (`com.microsoft.alljoynmanagement.config`). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration. > [!NOTE] > The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core). -This CSP was added in Windows 10, version 1511. +This CSP was added in Windows 10, version 1511, and later. - - -For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877). +For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877). The following shows the AllJoynManagement configuration service provider in tree format @@ -64,7 +61,7 @@ The following list describes the characteristics and parameters. The root node for the AllJoynManagement configuration service provider. **Services** -List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "com.microsoft.alljoynmanagement.config" are included. +List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "`com.microsoft.alljoynmanagement.config`" are included. **Services/***Node name* The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects. @@ -81,7 +78,7 @@ The set of configurable interfaces that are available on the port of the AllJoyn **Services/*Node name*/Port/*Node name*/CfgObject/***Node name* The remainder of this URI is an escaped path to the configurable AllJoyn object hosted by the parent ServiceID and accessible by the parent PortNum. -For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "\\FabrikamService\\BridgeConfig" would be specified in the URI as: %2FFabrikamService%2FBridgeConfig. +For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "`\\FabrikamService\\BridgeConfig`" would be specified in the URI as: `%2FFabrikamService%2FBridgeConfig`. **Credentials** This is the credential store. An administrator can set credentials for each AllJoyn device that requires authentication at this node. @@ -89,7 +86,7 @@ This is the credential store. An administrator can set credentials for each AllJ When a SyncML request arrives in the CSP to replace or query a configuration item on an AllJoyn object that requires authentication, then the CSP uses the credentials stored here during the authentication phase. **Credentials/***Node name* -This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It is typically implemented as a GUID. +This is the same service ID specified in `\\AllJoynManagement\\Services\\ServiceID` URI. It is typically implemented as a GUID. **Credentials/*Node name*/Key** An alphanumeric key value that conforms to the AllJoyn SRP KEYX authentication standard. @@ -105,7 +102,6 @@ Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enable ## Examples - Set adapter configuration ```xml @@ -128,7 +124,10 @@ SyncML xmlns="SYNCML:SYNCML1.2"> ``` -You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. Note that the data is base-64 encoded representation of the configuration file that you are setting. +You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. + +>[!Note] +> The data is base-64 encoded representation of the configuration file that you are setting. Get PIN data diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md index 728e4dcda3..798049c967 100644 --- a/windows/client-management/mdm/application-csp.md +++ b/windows/client-management/mdm/application-csp.md @@ -14,14 +14,25 @@ ms.date: 06/26/2017 # APPLICATION configuration service provider - The APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning. -OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider. The following list shows the supported transports. +OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider. -- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md) +The following table shows the applicability of Windows: -- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md) +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + +The following list shows the supported transports: + +- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md) + +- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md) The APPID parameter differentiates these application transports. Each APPID must be registered with OMA, and any APPLICATION configuration service provider must be in the root of the provisioning document. @@ -29,15 +40,5 @@ For the device to decode correctly, provisioning XML that contains the APPLICATI ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) -  - -  - - - - - - From 908e4e5408c518ca24b42bd4b34e1bb0c012c22d Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Tue, 22 Mar 2022 17:00:22 +0530 Subject: [PATCH 02/24] Updated --- windows/client-management/mdm/accountmanagement-csp.md | 2 +- windows/client-management/mdm/alljoynmanagement-csp.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index 0c0b0e2501..e0bd1525e7 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -13,7 +13,7 @@ manager: dansimp # AccountManagement CSP -AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803, and later. +AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803. > [!NOTE] > The AccountManagement CSP is only supported in Windows Holographic for Business edition. diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index c9aa7bdcde..12181e1cac 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -19,7 +19,7 @@ The AllJoynManagement configuration service provider (CSP) allows an IT administ > [!NOTE] > The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core). -This CSP was added in Windows 10, version 1511, and later. +This CSP was added in Windows 10, version 1511. For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877). From ec9254239271252ccdd2d1886c2fb516c16ebeb7 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Thu, 24 Mar 2022 10:47:11 +0530 Subject: [PATCH 03/24] CSP Improvement & Windows 11 Updates --- .../mdm/accountmanagement-csp.md | 4 ++ windows/client-management/mdm/accounts-csp.md | 29 ++++---- .../client-management/mdm/activesync-csp.md | 20 +++--- .../mdm/alljoynmanagement-csp.md | 10 +-- .../client-management/mdm/application-csp.md | 14 ++-- .../mdm/applicationcontrol-csp.md | 42 ++++++++---- .../client-management/mdm/applocker-csp.md | 67 ++++++++++--------- .../mdm/assignedaccess-csp.md | 25 +++++-- .../mdm/cellularsettings-csp.md | 12 +++- .../mdm/certificatestore-csp.md | 25 ++++--- 10 files changed, 154 insertions(+), 94 deletions(-) diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index e0bd1525e7..6fc42bf1c8 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -75,3 +75,7 @@ Value type is integer. Start deleting profiles when they have not been logged on during the specified period, given as number of days. Default value is 30. Supported operations are Add, Get, Replace, and Delete. Value type is integer. + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 708435ef91..f1e17f5cd4 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -11,8 +11,17 @@ ms.reviewer: manager: dansimp --- -# Accounts Configuration Service Provider +# Accounts CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803, and later. @@ -29,16 +38,6 @@ Accounts ------------LocalUserGroup ``` -The following table shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - **./Device/Vendor/MSFT/Accounts** Root node. @@ -72,9 +71,13 @@ This node specifies the username for a new local user account. This setting can **Users/_UserName_/Password** This node specifies the password for a new local user account. This setting can be managed remotely. -Supported operation is Add. GET operation is not supported. This setting will report as failed when deployed from the Endpoint Manager. +Supported operation is Add. GET operation isn't supported. This setting will report as failed when deployed from the Endpoint Manager. **Users/_UserName_/LocalUserGroup** -This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. +This optional node specifies the local user group that a local user account should be joined to. If the node isn't set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. Supported operation is Add. + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index 352f05b5be..bb6bd752f3 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -14,6 +14,16 @@ ms.date: 06/26/2017 # ActiveSync CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status. Configuring Windows Live ActiveSync accounts through this configuration service provider is not supported. @@ -59,16 +69,6 @@ ActiveSync ``` -The following table shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - **./User/Vendor/MSFT/ActiveSync** The root node for the ActiveSync configuration service provider. diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index 12181e1cac..35e89b67a3 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -21,7 +21,7 @@ The AllJoynManagement configuration service provider (CSP) allows an IT administ This CSP was added in Windows 10, version 1511. -For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877). +For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877). The following shows the AllJoynManagement configuration service provider in tree format @@ -67,7 +67,7 @@ List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects. **Services/*Node name*/Port** -The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it is possible to specify additional ports. +The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it's possible to specify additional ports. **Services/*Node name*/Port/***Node name* Port number used for communication. This is specified by the configurable AllJoyn object and reflected here. @@ -86,7 +86,7 @@ This is the credential store. An administrator can set credentials for each AllJ When a SyncML request arrives in the CSP to replace or query a configuration item on an AllJoyn object that requires authentication, then the CSP uses the credentials stored here during the authentication phase. **Credentials/***Node name* -This is the same service ID specified in `\\AllJoynManagement\\Services\\ServiceID` URI. It is typically implemented as a GUID. +This is the same service ID specified in `\\AllJoynManagement\\Services\\ServiceID` URI. It's typically implemented as a GUID. **Credentials/*Node name*/Key** An alphanumeric key value that conforms to the AllJoyn SRP KEYX authentication standard. @@ -166,7 +166,9 @@ Get the firewall PrivateProfile ``` - +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md index 798049c967..b935548199 100644 --- a/windows/client-management/mdm/application-csp.md +++ b/windows/client-management/mdm/application-csp.md @@ -1,5 +1,5 @@ --- -title: APPLICATION configuration service provider +title: APPLICATION CSP description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning. ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099 ms.reviewer: @@ -12,13 +12,9 @@ author: dansimp ms.date: 06/26/2017 --- -# APPLICATION configuration service provider +# APPLICATION CSP -The APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning. - -OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider. - -The following table shows the applicability of Windows: +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | @@ -28,6 +24,10 @@ The following table shows the applicability of Windows: |Enterprise|Yes|Yes| |Education|Yes|Yes| +The APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning. + +OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider. + The following list shows the supported transports: - w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 648d9c245f..cabf6a14e7 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -13,7 +13,18 @@ ms.date: 09/10/2020 # ApplicationControl CSP -Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + +Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. + Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only. The following shows the ApplicationControl CSP in tree format. @@ -43,6 +54,7 @@ ApplicationControl ----TenantID ----DeviceID ``` + **./Vendor/MSFT/ApplicationControl** Defines the root node for the ApplicationControl CSP. @@ -73,7 +85,7 @@ An interior node that contains the nodes that describe the policy indicated by t Scope is dynamic. Supported operation is Get. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version** -This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing use a uint64 as the containing data type. +This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing uses a uint64 as the containing data type. Scope is dynamic. Supported operation is Get. @@ -113,7 +125,7 @@ The following table provides the result of this policy based on different values |IsAuthorized | IsDeployed | IsEffective | Resultant | |------------ | ---------- | ----------- | --------- | -|True|True|True|Policy is currently running and in effect.| +|True|True|True|Policy is currently running and is in effect.| |True|True|False|Policy requires a reboot to take effect.| |True|False|True|Policy requires a reboot to unload from CI.| |False|True|True|Not Reachable.| @@ -122,14 +134,14 @@ The following table provides the result of this policy based on different values |False|False|True|Not Reachable.| |False|False|False|*Not Reachable.| -\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail. +\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the `END_COMMAND_PROCESSING` will result in a fail. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status** This node specifies whether the deployment of the policy indicated by the GUID was successful. Scope is dynamic. Supported operation is Get. -Value type is integer. Default value is 0 == OK. +Value type is integer. Default value is 0 = OK. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName** This node provides the friendly name of the policy indicated by the policy GUID. @@ -140,15 +152,15 @@ Value type is char. ## Microsoft Endpoint Manager (MEM) Intune Usage Guidance -For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune). +For customers using Intune standalone or hybrid management with Microsoft Endpoint Manager Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune). ## Generic MDM Server Usage Guidance In order to leverage the ApplicationControl CSP without using Intune, you must: 1. Know a generated policy's GUID, which can be found in the policy xml as `` or `` for pre-1903 systems. -2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. -3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command-line tool. +2. Convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet in order to be deployed. The binary policy may be signed or unsigned. +3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the `certutil -encode` command-line tool. Below is a sample certutil invocation: @@ -171,7 +183,7 @@ To deploy base policy and supplemental policies: 1. Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. 2. Repeat for each base or supplemental policy (with its own GUID and data). -The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD). +The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy supplements and does'nt need to be reflected in the ADD). #### Example 1: Add first base policy @@ -257,7 +269,7 @@ The following is an example of Get command: #### Rebootless Deletion -Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot. +Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at `C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml`) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactivate the policy on the next reboot. #### Unsigned Policies @@ -293,8 +305,8 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Mi ### Setup for using the WMI Bridge -1. Convert your WDAC policy to Base64 -2. Open PowerShell in Local System context (through PSExec or something similar) +1. Convert your WDAC policy to Base64. +2. Open PowerShell in Local System context (through PSExec or something similar). 3. Use WMI Interface: ```powershell @@ -315,4 +327,8 @@ New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{Pa ```powershell Get-CimInstance -Namespace $namespace -ClassName $policyClassName -``` \ No newline at end of file +``` + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 61070859fe..4b2ed6a6c1 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -14,6 +14,15 @@ ms.date: 11/19/2019 # AppLocker CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There is no user interface shown for apps that are blocked. @@ -74,16 +83,14 @@ Defines restrictions for applications. > [!NOTE] > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. - -> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node. +> +> Delete/unenrollment is not properly supported, unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node. > [!NOTE] -> The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI. - -Additional information: +> The AppLocker CSP will schedule a reboot when a policy is applied or when a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI. **AppLocker/ApplicationLaunchRestrictions/_Grouping_** -Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. +Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. Supported operations are Get, Add, Delete, and Replace. @@ -96,14 +103,14 @@ Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/Policy** Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. -Data type is string. +Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode** The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). -The data type is a string. +The data type is a string. Supported operations are Get, Add, Delete, and Replace. @@ -206,31 +213,34 @@ Data type is Base64. Supported operations are Get, Add, Delete, and Replace. > [!NOTE] -> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP. +> To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP. **AppLocker/EnterpriseDataProtection** Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md). -In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. +In Windows 10, version 1607, the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. You can set the allowed list using the following URI: + - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps/Policy You can set the exempt list using the following URI. The _Grouping_ string must contain the keyword "EdpExempt" anywhere to help distinguish the exempt list from the allowed list. The "EdpExempt" keyword is also evaluated in a case-insensitive manner: + - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/EXE/Policy - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/StoreApps/Policy Exempt examples: + - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/ContosoEdpExempt/EXE/Policy - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/xxxxxEdpExemptxxxxx/EXE/Policy Additional information: -- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. +- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications. **AppLocker/EnterpriseDataProtection/_Grouping_** -Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. +Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. Supported operations are Get, Add, Delete, and Replace. @@ -259,15 +269,17 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. -1. On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive). -2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**. +**To find Publisher and PackageFullName of apps:** + +1. On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive). +2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**. The **Device Portal** page opens on your browser. ![device portal screenshot.](images/applocker-screenshot1.png) -3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**. -4. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps. +3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**. +4. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps. ![device portal app manager.](images/applocker-screenshot3.png) @@ -279,9 +291,9 @@ The following table shows the mapping of information to the AppLocker publisher |Device portal data|AppLocker publisher rule field| |--- |--- | -|PackageFullName|ProductName

The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.| +|PackageFullName|ProductName: The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.| |Publisher|Publisher| -|Version|Version

This can be used either in the HighSection or LowSection of the BinaryVersionRange.

HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.| +|Version|Version: This can be used either in the HighSection or LowSection of the BinaryVersionRange.

HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.| Here is an example AppLocker publisher rule: @@ -293,13 +305,13 @@ Here is an example AppLocker publisher rule: You can get the publisher name and product name of apps using a web API. -**To find publisher and product name for Microsoft apps in Microsoft Store for Business** +**To find publisher and product name for Microsoft apps in Microsoft Store for Business:** -1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote. +1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote. -2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**. +2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is [https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl](https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl), and you'd copy the ID value: **9wzdncrfhvjl**. -3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. +3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. Request URI: @@ -332,10 +344,8 @@ Result |publisherCertificateName|Publisher| |windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name.

This value will only be present if there is a XAP package associated with the app in the Store.

If this value is populated then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.| - ## Settings apps that rely on splash apps - These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps. The product name is first part of the PackageFullName followed by the version number. @@ -359,17 +369,13 @@ The product name is first part of the PackageFullName followed by the version nu | SettingsPagePhoneNfc | b0894dfd-4671-4bb9-bc17-a8b39947ffb6\_1.0.0.0\_neutral\_\_1prqnbg33c1tj | b0894dfd-4671-4bb9-bc17-a8b39947ffb6 | - ## Inbox apps and components - The following list shows the apps that may be included in the inbox. > [!NOTE] > This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience. - - |App|Product ID|Product name| |--- |--- |--- | |3D Viewer|f41647c9-d567-4378-b2ab-7924e5a152f3|Microsoft.Microsoft3DViewer (Added in Windows 10, version 1703)| @@ -1022,6 +1028,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo ``` ## Example for Windows 10 Holographic for Business + The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, as well as Settings. ```xml @@ -1277,7 +1284,8 @@ The following example for Windows 10 Holographic for Business denies all apps an ``` ## Recommended deny list for Windows Information Protection -The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. + +The following example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications. In this example, Contoso is the node name. We recommend using a GUID for this node. @@ -1460,5 +1468,4 @@ In this example, Contoso is the node name. We recommend using a GUID for this no ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index fd89c3803d..7a204f04d3 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -14,6 +14,16 @@ ms.date: 09/18/2018 # AssignedAccess CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration. For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app) @@ -24,7 +34,7 @@ In Windows 10, version 1709, the AssignedAccess configuration service provider ( > You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups. > [!Note] -> If the application calls KeyCredentialManager.IsSupportedAsync when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select a appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again. +> If the application calls `KeyCredentialManager.IsSupportedAsync` when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select an appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again. > [!Note] > The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709, it is supported in Windows 10 Pro and Windows 10 S. Starting from Windows 10, version 1803, it is also supported in Windows Holographic for Business edition. @@ -45,14 +55,14 @@ AssignedAccess Root node for the CSP. **./Device/Vendor/MSFT/AssignedAccess/KioskModeApp** -A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app). +A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app). For more information, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app) > [!Note] -> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. +> In Windows 10, version 1803, the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. > -> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective. +> Starting in Windows 10, version 1803, the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective. > [!Note] > You cannot set both KioskModeApp and ShellLauncher at the same time on the device. @@ -80,7 +90,7 @@ For a local account, the domain name should be the device name. When Get is exec The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same. **./Device/Vendor/MSFT/AssignedAccess/Configuration** -Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). +Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here's the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). Enterprises can use this to easily configure and manage the curated lockdown experience. @@ -426,7 +436,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. ``` -Here's the schema for new features introduced in Windows 10 1809 release +Here's the schema for new features introduced in Windows 10 1809 release: ```xml @@ -473,6 +483,7 @@ Here's the schema for new features introduced in Windows 10 1809 release ``` Schema for Windows 10 prerelease + ```xml [!Note] -> Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions. +> Starting in Windows 10, version 1703, the CellularSettings CSP is supported in Windows 10 and Windows 11 Home, Pro, Enterprise, and Education editions. The following shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol isn't supported with this configuration service provider. diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index 11079b3ac6..253d908516 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -14,13 +14,23 @@ ms.date: 02/28/2020 # CertificateStore CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates. > [!Note] > The CertificateStore configuration service provider does not support installing client certificates. > The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive. -For the CertificateStore CSP, you cannot use the Replace command unless the node already exists. +For the CertificateStore CSP, you cannot use the Replace command, unless the node already exists. The following shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. @@ -259,7 +269,7 @@ Optional. OID of certificate template name. Supported operations are Get, Add, and Delete. **My/SCEP/*UniqueID*/Install/KeyLength** -Required for enrollment. Specify private key length (RSA). Value type is an integer. Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified. +Required for enrollment. Specifies private key length (RSA). Value type is an integer. Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified. Supported operations are Get, Add, Delete, and Replace. @@ -343,7 +353,7 @@ Required. Returns the URL of the SCEP server that responded to the enrollment re Supported operation is Get. **My/WSTEP** -Required for MDM enrolled device. The parent node that hosts the MDM enrollment client certificate related settings that are enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node. +Required for MDM enrolled device. Specifies the parent node that hosts the MDM enrollment client certificate related settings that are enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node. Supported operation is Get. @@ -358,12 +368,10 @@ Optional. Specifies the URL of certificate renewal server. If this node doesn't > [!NOTE] > The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service. - - Supported operations are Add, Get, Delete, and Replace. **My/WSTEP/Renew/RenewalPeriod** -Optional. The time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server cannot set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity. +Optional. specifies the time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server cannot set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity. The default value is 42 and the valid values are 1 – 1000. Value type is an integer. @@ -414,7 +422,7 @@ Optional. If certificate renewal fails, this integer value indicates the HRESULT Supported operation is Get. **My/WSTEP/Renew/LastRenewalAttemptTime** -Added in Windows 10, version 1607. Time of the last attempted renewal. +Added in Windows 10, version 1607. Specifies the time of the last attempted renewal. Supported operation is Get. @@ -424,7 +432,7 @@ Added in Windows 10, version 1607. Initiates a renewal now. Supported operation is Execute. **My/WSTEP/Renew/RetryAfterExpiryInterval** -Added in Windows 10, version 1703. How long after the enrollment certificate has expired before trying to renew. +Added in Windows 10, version 1703. Specifies how long after the enrollment certificate has expired before trying to renew. Supported operations are Add, Get, and Replace. @@ -698,7 +706,6 @@ Configure the device to automatically renew an MDM client certificate with the s ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) From da5393064979391ff945a627e006df658db69789 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Thu, 24 Mar 2022 10:50:43 +0530 Subject: [PATCH 04/24] Update accounts-ddf-file.md --- windows/client-management/mdm/accounts-ddf-file.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md index 9d91061818..224b4c6594 100644 --- a/windows/client-management/mdm/accounts-ddf-file.md +++ b/windows/client-management/mdm/accounts-ddf-file.md @@ -11,8 +11,7 @@ ms.reviewer: manager: dansimp --- -# Accounts CSP - +# Accounts DDF file This topic shows the OMA DM device description framework (DDF) for the **Accounts** configuration service provider. From 89d4342e9b6ffbc498d345dd6d0f407d11d90419 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Fri, 25 Mar 2022 09:12:59 +0530 Subject: [PATCH 05/24] CSP: Windows 11 Updates-part3 --- windows/client-management/mdm/cleanpc-csp.md | 10 + .../mdm/cm-cellularentries-csp.md | 34 ++-- windows/client-management/mdm/cmpolicy-csp.md | 17 +- windows/client-management/mdm/wifi-csp.md | 35 ++-- .../mdm/win32appinventory-csp.md | 11 +- .../mdm/win32compatibilityappraiser-csp.md | 154 +++++++++------ .../windowsadvancedthreatprotection-csp.md | 97 +++++---- .../mdm/windowsautopilot-csp.md | 17 +- .../windowsdefenderapplicationguard-csp.md | 187 ++++++++++++------ .../mdm/windowslicensing-csp.md | 86 ++++---- 10 files changed, 402 insertions(+), 246 deletions(-) diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index 57298ac676..c6c0b2d293 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -13,6 +13,16 @@ manager: dansimp # CleanPC CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703. The following shows the CleanPC configuration service provider in tree format. diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index c333660f0f..7a057f91e2 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -14,6 +14,16 @@ ms.date: 08/02/2017 # CM\_CellularEntries CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The CM\_CellularEntries configuration service provider is used to configure the General Packet Radio Service (GPRS) entries on the device. It defines each GSM data access point. This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application. @@ -76,13 +86,13 @@ Optional. Type: String. Specifies the type of connection used for the APN. The f |Cdma|Used for CDMA type connections (1XRTT + EVDO).| |Lte|Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.| |Legacy|Used for GPRS + GSM + EDGE + UMTS connections.| -|Lte_iwlan|Used for GPRS type connections that may be offloaded over WiFi| -|Iwlan|Used for connections that are implemented over WiFi offload only| +|Lte_iwlan|Used for GPRS type connections that may be offloaded over WiFi.| +|Iwlan|Used for connections that are implemented over WiFi offload only.| **Desc.langid** Optional. Specifies the UI display string used by the defined language ID. -A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as Desc.0409 with a value of "GPRS Connection" will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no Desc parameter is provisioned for a given language, the system will default to the name used to create the entry. +A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as `Desc.0409` with a value of `"GPRS Connection"` will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no **Desc** parameter is provisioned for a given language, the system will default to the name used to create the entry. **Enabled** Specifies if the connection is enabled. @@ -110,7 +120,7 @@ Optional. Specifies if the connection requires a corresponding mappings policy. A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present. -For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic. +For example, if the multimedia messaging service (MMS) APN does not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic. **Version** Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider. @@ -131,7 +141,7 @@ Optional. Type: Int. This parameter specifies the roaming conditions under which - 5 - Roaming only. **OEMConnectionID** -Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices. +Optional. Type: GUID. Specifies a GUID that is used to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices. **ApnId** Optional. Type: Int. Specifies the purpose of the APN. If a value isn't specified, the default value is "0" (none). This parameter is only used on LTE devices. @@ -145,7 +155,7 @@ Optional. Type: String. Specifies the network protocol of the connection. Availa **ExemptFromDisablePolicy** Added back in Windows 10, version 1511.Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value isn't specified, the default value is "0" (not exempt). -To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it shouldn't be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. +To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection, and that it shouldn't be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. >[!Note] > Sending MMS while roaming is still not allowed. @@ -174,7 +184,7 @@ Optional. Type: Int. Specifies how long an on-demand connection can be unused be > If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds. **SimIccId** -For single SIM phones, this parm isOptional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection. +For single SIM phones, this parm is Optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection. **PurposeGroups** Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available: @@ -271,17 +281,7 @@ The following table shows the Microsoft custom elements that this configuration |Characteristic-query|Yes| |Parm-query|Yes| - ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index d37ac364ec..3cf035b06c 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -14,13 +14,21 @@ ms.date: 06/26/2017 # CMPolicy CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The CMPolicy configuration service provider defines rules that the Connection Manager uses to identify the correct connection for a connection request. > [!NOTE] > This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. - Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicy configuration service provider can have multiple policies **Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence. @@ -134,7 +142,6 @@ Specifies the type of connection being referenced. The following list describes ## OMA client provisioning examples - Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. ```xml @@ -180,7 +187,9 @@ Adding an application-based mapping policy. In this example, the ConnectionId fo ``` -Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. +Adding a host-based mapping policy: + +In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. ```xml @@ -364,7 +373,6 @@ Adding a host-based mapping policy: ## Microsoft Custom Elements - |Element|Available| |--- |--- | |parm-query|Yes| @@ -373,7 +381,6 @@ Adding a host-based mapping policy: ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index fecd686326..9e1e9d883b 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -14,6 +14,16 @@ ms.date: 06/18/2019 # WiFi CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + > [!WARNING] > Some information relates to pre-released products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. @@ -21,12 +31,12 @@ The WiFi configuration service provider provides the functionality to add or del Programming considerations: -- If the authentication method needs a certificate, for example, EAP-TLS requires client certificates, you must configure it through the CertificateStore configuration service provider. The WiFi configuration service provider does not provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it is not supported in EAP-TLS. -- For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it is stored on the device. -- The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported. -- The \*name\_goes\_here*\\ must match \\ *name\_goes\_here*\\. -- For the WiFi CSP, you cannot use the Replace command unless the node already exists. -- Using Proxyis in Windows 10 client editions (Home, Pro, Enterprise, and Education) will result in failure. +- If the authentication method needs a certificate, for example, EAP-TLS requires client certificates, you must configure it through the CertificateStore configuration service provider. The WiFi configuration service provider does not provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it is not supported in EAP-TLS. +- For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it is stored on the device. +- The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported. +- The \*name\_goes\_here*\\ must match \\ *name\_goes\_here*\\. +- For the WiFi CSP, you cannot use the Replace command unless the node already exists. +- Using Proxyis in Windows 10 or Windows 11 client editions (Home, Pro, Enterprise, and Education) will result in failure. The following shows the WiFi configuration service provider in tree format. @@ -41,11 +51,10 @@ WiFi ---------WiFiCost ``` - The following list shows the characteristics and parameters. **Device or User profile** -For user profile, use ./User/Vendor/MSFT/Wifi path and for device profile, use ./Device/Vendor/MSFT/Wifi path. +For user profile, use .`/User/Vendor/MSFT/Wifi` path and for device profile, use `./Device/Vendor/MSFT/Wifi` path. **Profile** Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network – for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks. @@ -94,6 +103,7 @@ Supported operations are Get, Add, Delete, and Replace. --> **DisableInternetConnectivityChecks** + > [!Note] > This node has been deprecated since Windows 10, version 1607. @@ -101,8 +111,8 @@ Added in Windows 10, version 1511. Optional. Disable the internet connectivity c Value type is chr. -- True - internet connectivity check is disabled. -- False - internet connectivity check is enabled. +- True - internet connectivity check is disabled. +- False - internet connectivity check is enabled. Supported operations are Get, Add, Delete, and Replace. @@ -139,7 +149,6 @@ Supported operations are Add, Get, Replace and Delete. Value type is integer. ## Examples - These XML examples show how to perform various tasks using OMA DM. ### Add a network @@ -241,8 +250,4 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID ‘MyNetw ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - - - diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md index 428ed3f3cf..ec27ad59c7 100644 --- a/windows/client-management/mdm/win32appinventory-csp.md +++ b/windows/client-management/mdm/win32appinventory-csp.md @@ -14,6 +14,15 @@ ms.date: 06/26/2017 # Win32AppInventory CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The Win32AppInventory configuration service provider is used to provide an inventory of installed applications on a device. @@ -69,7 +78,7 @@ The supported operation is Get. **Win32InstalledProgram/_InstalledProgram_/RegKey** A string that specifies product code or registry subkey. -For MSI-based applications this is the product code. +For MSI-based applications, this is the product code. For applications found in Add/Remove Programs, this is the registry subkey. diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md index 015e95075d..f2a5fc1a7b 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md @@ -11,7 +11,17 @@ ms.reviewer: manager: dansimp --- -# Win32CompatibilityAppraiser CSP +# Win32CompatibilityAppraiser CSP + +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -45,52 +55,64 @@ Win32CompatibilityAppraiser ------------MostRestrictiveSetting --------WerConnectionReport ``` + **./Vendor/MSFT/Win32CompatibilityAppraiser** The root node for the Win32CompatibilityAppraiser configuration service provider. **CompatibilityAppraiser** This represents the state of the Compatibility Appraiser. - **CompatibilityAppraiser/AppraiserConfigurationDiagnosis** This represents various settings that affect whether the Compatibility Appraiser can collect and upload compatibility data. - **CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialId** The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded. -Value type is string. Supported operation is Get. +Value type is string. + +Supported operation is Get. **CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialIdSetAndValid** A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces. -Value type is bool. Supported operation is Get. +Value type is bool. + +Supported operation is Get. **CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AllTargetOsVersionsRequested** -A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked. +A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked. -Value type is bool. Supported operation is Get. +Value type is bool. + +Supported operation is Get. **CompatibilityAppraiser/AppraiserConfigurationDiagnosis/OsSkuIsValidForAppraiser** A boolean value indicating whether the current Windows SKU is able to run the Compatibility Appraiser. -Value type is bool. Supported operation is Get. +Value type is bool. + +Supported operation is Get. **CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AppraiserCodeAndDataVersionsAboveMinimum** An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data. -The values are: -- 0 == Neither the code nor data is of a sufficient version -- 1 == The code version is insufficient but the data version is sufficient -- 2 == The code version is sufficient but the data version is insufficient -- 3 == Both the code and data are of a sufficient version +The values are: + +- 0 == Neither the code nor data is of a sufficient version +- 1 == The code version is insufficient but the data version is sufficient +- 2 == The code version is sufficient but the data version is insufficient +- 3 == Both the code and data are of a sufficient version -Value type is integer. Supported operation is Get. +Value type is integer. + +Supported operation is Get. **CompatibilityAppraiser/AppraiserConfigurationDiagnosis/RebootPending** -A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent. +A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent. -Value type is bool. Supported operation is Get. +Value type is bool. + +Supported operation is Get. **CompatibilityAppraiser/AppraiserRunResultReport** This provides an XML representation of the last run of Appraiser and the last runs of Appraiser of certain types or configurations. @@ -106,45 +128,58 @@ This represents various settings that affect whether the Universal Telemetry Cli **UniversalTelemetryClient/UtcConfigurationDiagnosis/TelemetryOptIn** An integer value representing what level of telemetry will be uploaded. -Value type is integer. Supported operation is Get. +Value type is integer. -The values are: -- 0 == Security data will be sent -- 1 == Basic telemetry will be sent -- 2 == Enhanced telemetry will be sent -- 3 == Full telemetry will be sent +Supported operation is Get. + +The values are: + +- 0 == Security data will be sent. +- 1 == Basic telemetry will be sent. +- 2 == Enhanced telemetry will be sent. +- 3 == Full telemetry will be sent. **UniversalTelemetryClient/UtcConfigurationDiagnosis/CommercialDataOptIn** An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload. -Value type is integer. Supported operation is Get. +Value type is integer. -The values are: -- 0 == Setting is disabled -- 1 == Setting is enabled -- 2 == Setting is not applicable to this version of Windows +Supported operation is Get. + +The values are: + +- 0 == Setting is disabled. +- 1 == Setting is enabled. +- 2 == Setting is not applicable to this version of Windows. **UniversalTelemetryClient/UtcConfigurationDiagnosis/DiagTrackServiceRunning** -A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data. +A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data. -Value type is bool. Supported operation is Get. +Value type is bool. + +Supported operation is Get. **UniversalTelemetryClient/UtcConfigurationDiagnosis/MsaServiceEnabled** -A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs. +A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs. -Value type is bool. Supported operation is Get. +Value type is bool. + +Supported operation is Get. **UniversalTelemetryClient/UtcConfigurationDiagnosis/InternetExplorerTelemetryOptIn** -An integer value representing what websites Internet Explorer will collect telemetry data for. +An integer value representing what websites Internet Explorer will collect telemetry data for. -Value type is integer. Supported operation is Get. +Value type is integer. -The values are: -- 0 == Telemetry collection is disabled -- 1 == Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones -- 2 == Telemetry collection is enabled for internet websites and restricted website zones -- 3 == Telemetry collection is enabled for all websites -- 0x7FFFFFFF == Telemetry collection is not configured +Supported operation is Get. + +The values are: + +- 0 == Telemetry collection is disabled. +- 1 == Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones. +- 2 == Telemetry collection is enabled for internet websites and restricted website zones. +- 3 == Telemetry collection is enabled for all websites. +- 0x7FFFFFFF == Telemetry collection is not configured. **UniversalTelemetryClient/UtcConnectionReport** This provides an XML representation of the UTC connections during the most recent summary period. @@ -160,26 +195,31 @@ This represents various settings that affect whether the Windows Error Reporting **WindowsErrorReporting/WerConfigurationDiagnosis/WerTelemetryOptIn** An integer value indicating the amount of WER data that will be uploaded. -Value type integer. Supported operation is Get. +Value type is integer. -The values are: -- 0 == Data will not send due to UTC opt-in -- 1 == Data will not send due to WER opt-in -- 2 == Basic WER data will send but not the complete set of data -- 3 == The complete set of WER data will send +Supported operation is Get. +The values are: + +- 0 == Data will not send due to UTC opt-in. +- 1 == Data will not send due to WER opt-in. +- 2 == Basic WER data will send but not the complete set of data. +- 3 == The complete set of WER data will send. **WindowsErrorReporting/WerConfigurationDiagnosis/MostRestrictiveSetting** An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted. -Value type integer. Supported operation is Get. +Value type is integer. -The values are: -- 0 == System telemetry settings are restricting uploads -- 1 == WER basic policies are restricting uploads -- 2 == WER advanced policies are restricting uploads -- 3 == WER consent policies are restricting uploads -- 4 == There are no restrictive settings +Supported operation is Get. + +The values are: + +- 0 == System telemetry settings are restricting upload. +- 1 == WER basic policies are restricting uploads. +- 2 == WER advanced policies are restricting uploads. +- 3 == WER consent policies are restricting uploads. +- 4 == There are no restrictive settings. **WindowsErrorReporting/WerConnectionReport** This provides an XML representation of the most recent WER connections of various types. @@ -190,7 +230,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind ### Appraiser run result report -``` +```xml @@ -362,7 +402,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind ### UTC connection report -``` +```xml @@ -440,7 +480,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind ### Windows Error Reporting connection report -``` +```xml @@ -638,3 +678,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind ``` + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index c8bd5266d0..6e8395ab55 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -14,6 +14,15 @@ ms.date: 11/01/2017 # WindowsAdvancedThreatProtection CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP. @@ -40,102 +49,101 @@ WindowsAdvancedThreatProtection The following list describes the characteristics and parameters. **./Device/Vendor/MSFT/WindowsAdvancedThreatProtection** -

The root node for the Windows Defender Advanced Threat Protection configuration service provider. +The root node for the Windows Defender Advanced Threat Protection configuration service provider. -

Supported operation is Get. +Supported operation is Get. **Onboarding** -

Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection. +Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection. -

The data type is a string. +The data type is a string. -

Supported operations are Get and Replace. +Supported operations are Get and Replace. **HealthState** -

Node that represents the Windows Defender Advanced Threat Protection health state. +Node that represents the Windows Defender Advanced Threat Protection health state. **HealthState/LastConnected** -

Contains the timestamp of the last successful connection. +Contains the timestamp of the last successful connection. -

Supported operation is Get. +Supported operation is Get. **HealthState/SenseIsRunning** -

Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state. +Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state. -

The default value is false. +The default value is false. -

Supported operation is Get. +Supported operation is Get. **HealthState/OnboardingState** -

Represents the onboarding state. +Represents the onboarding state. -

Supported operation is Get. +Supported operation is Get. -

The following list shows the supported values: +The following list shows the supported values: -- 0 (default) – Not onboarded. -- 1 – Onboarded +- 0 (default) – Not onboarded. +- 1 – Onboarded **HealthState/OrgId** -

String that represents the OrgID. +String that represents the OrgID. -

Supported operation is Get. +Supported operation is Get. **Configuration** -

Represents Windows Defender Advanced Threat Protection configuration. +Represents Windows Defender Advanced Threat Protection configuration. **Configuration/SampleSharing** -

Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter. +Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter. -

The following list shows the supported values: +The following list shows the supported values: - 0 – None - 1 (default)– All -

Supported operations are Get and Replace. +Supported operations are Get and Replace. **Configuration/TelemetryReportingFrequency** -

Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency. +Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency. -

The following list shows the supported values: +The following list shows the supported values: -- 1 (default) – Normal -- 2 - Expedite +- 1 (default) – Normal +- 2 - Expedite -

Supported operations are Get and Replace. +Supported operations are Get and Replace. **Offboarding** -

Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection. +Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection. -

The data type is a string. +The data type is a string. -

Supported operations are Get and Replace. +Supported operations are Get and Replace. **DeviceTagging** -

Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging. +Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging. -

Supported operations is Get. +Supported operations is Get. **DeviceTagging/Group** -

Added in Windows 10, version 1709. Device group identifiers. +Added in Windows 10, version 1709. Device group identifiers. -

The data type is a string. +The data type is a string. -

Supported operations are Get and Replace. +Supported operations are Get and Replace. **DeviceTagging/Criticality** -

Added in Windows 10, version 1709. Asset criticality value. Supported values: +Added in Windows 10, version 1709. Asset criticality value. Supported values: - 0 - Normal - 1 - Critical -

The data type is an integer. +The data type is an integer. -

Supported operations are Get and Replace. +Supported operations are Get and Replace. ## Examples - ```xml @@ -246,15 +254,4 @@ The following list describes the characteristics and parameters. ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index b50c42c129..2bcfeacc12 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -14,11 +14,20 @@ ms.date: 02/07/2022 # WindowsAutoPilot CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot.” with “The WindowsAutopilot CSP exposes Windows Autopilot related device information.” Because the CSP description should be more general/high level. +The WindowsAutopilot CSP exposes Windows Autopilot related device information. The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot. **./Vendor/MSFT/WindowsAutopilot** @@ -27,3 +36,7 @@ Root node. Supported operation is Get. **HardwareMismatchRemediationData** Interior node. Supported operation is Get. Collects hardware information about a device and returns it as an encoded string. This string is used as input for calling Windows Autopilot Service to remediate a device if the device underwent a hardware change that affects its ability to use Windows Autopilot. + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index e489b9b6cd..2c369a5a20 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -13,9 +13,20 @@ manager: dansimp # WindowsDefenderApplicationGuard CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709. The following shows the WindowsDefenderApplicationGuard configuration service provider in tree format. + ``` ./Device/Vendor/MSFT WindowsDefenderApplicationGuard @@ -36,6 +47,7 @@ WindowsDefenderApplicationGuard ----Audit --------AuditApplicationGuard ``` + **./Device/Vendor/MSFT/WindowsDefenderApplicationGuard** Root node. Supported operation is Get. @@ -43,30 +55,37 @@ Root node. Supported operation is Get. Interior node. Supported operation is Get. **Settings/AllowWindowsDefenderApplicationGuard** -Turn on Microsoft Defender Application Guard in Enterprise Mode. +Turn on Microsoft Defender Application Guard in Enterprise Mode. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. + +Supported operations are Add, Get, Replace, and Delete. The following list shows the supported values: -- 0 - Disable Microsoft Defender Application Guard -- 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY -- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY (added in Windows 10, version 2004) -- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments (added in Windows 10, version 2004) + +- 0 - Disable Microsoft Defender Application Guard. +- 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY. +- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY (added in Windows 10, version 2004). +- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments (added in Windows 10, version 2004). **Settings/ClipboardFileType** -Determines the type of content that can be copied from the host to Application Guard environment and vice versa. +Determines the type of content that can be copied from the host to Application Guard environment and vice versa. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. + +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. The following list shows the supported values: + - 1 - Allow text copying. - 2 - Allow image copying. - 3 - Allow text and image copying. -ADMX Info: +ADMX Info: + - GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings* - GP name: *AppHVSIClipboardFileType* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -76,21 +95,25 @@ ADMX Info: **Settings/ClipboardSettings** This policy setting allows you to decide how the clipboard behaves while in Application Guard. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. + +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. + +The following list shows the supported values: -The following list shows the supported values: - 0 (default) - Completely turns Off the clipboard functionality for the Application Guard. - 1 - Turns On clipboard operation from an isolated session to the host. - 2 - Turns On clipboard operation from the host to an isolated session. - 3 - Turns On clipboard operation in both the directions. > [!IMPORTANT] -> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended. +> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended. -ADMX Info: +ADMX Info: + - GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings* - GP name: *AppHVSIClipboardSettings* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -98,13 +121,16 @@ ADMX Info: **Settings/PrintingSettings** -This policy setting allows you to decide how the print functionality behaves while in Application Guard. +This policy setting allows you to decide how the print functionality behaves while in Application Guard. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. -The following list shows the supported values: +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. + +The following list shows the supported values: + - 0 (default) - Disables all print functionality. - 1 - Enables only XPS printing. - 2 - Enables only PDF printing. @@ -123,7 +149,8 @@ The following list shows the supported values: - 15 - Enables all printing. -ADMX Info: +ADMX Info: + - GP Friendly name: *Configure Microsoft Defender Application Guard print settings* - GP name: *AppHVSIPrintingSettings* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -133,11 +160,14 @@ ADMX Info: **Settings/BlockNonEnterpriseContent** This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. -The following list shows the supported values: +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. + +The following list shows the supported values: + - 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge. - 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard. @@ -145,7 +175,8 @@ The following list shows the supported values: > This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release. Webpages that contain mixed content, both enterprise and non-enterprise, may load incorrectly or fail completely if this feature is enabled. -ADMX Info: +ADMX Info: + - GP Friendly name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer* - GP name: *BlockNonEnterpriseContent* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -155,16 +186,20 @@ ADMX Info: **Settings/AllowPersistence** This policy setting allows you to decide whether data should persist across different sessions in Application Guard. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. -The following list shows the supported values: +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. + +The following list shows the supported values: + - 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off. - 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions. -ADMX Info: +ADMX Info: + - GP Friendly name: *Allow data persistence for Microsoft Defender Application Guard* - GP name: *AllowPersistence* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -172,15 +207,18 @@ ADMX Info: **Settings/AllowVirtualGPU** -Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics. +Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. + +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. -The following list shows the supported values: +The following list shows the supported values: + - 0 (default) - Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0). - 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container. @@ -188,7 +226,8 @@ The following list shows the supported values: > Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device. -ADMX Info: +ADMX Info: + - GP Friendly name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard* - GP name: *AllowVirtualGPU* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -196,18 +235,22 @@ ADMX Info: **Settings/SaveFilesToHost** -Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. This also enables users to elect files on the host operating system and upload it through Edge in the container. +Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files from container to the host operating system. This also enables users to elect files on the host operating system and upload it through Edge in the container. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. -The following list shows the supported values: +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. + +The following list shows the supported values: + - 0 (default) - The user cannot download files from Edge in the container to the host file system, or upload files from host file system to Edge in the container. When the policy is not configured, it is the same as disabled (0). - 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system. -ADMX Info: +ADMX Info: + - GP Friendly name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard* - GP name: *SaveFilesToHost* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -217,9 +260,11 @@ ADMX Info: **Settings/CertificateThumbprints** Added in Windows 10, version 1809. This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container. -Value type is string. Supported operations are Add, Get, Replace, and Delete. +Value type is string. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. + +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer. @@ -229,7 +274,8 @@ b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda92 If you disable or don’t configure this setting, certificates are not shared with the Microsoft Defender Application Guard container. -ADMX Info: +ADMX Info: + - GP Friendly name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device* - GP name: *CertificateThumbprints* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -242,15 +288,18 @@ ADMX Info: **Settings/AllowCameraMicrophoneRedirection** Added in Windows 10, version 1809. This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. + +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the user’s device. If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user’s device. -The following list shows the supported values: +The following list shows the supported values: + - 0 (default) - Microsoft Defender Application Guard cannot access the device’s camera and microphone. When the policy is not configured, it is the same as disabled (0). - 1 - Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone. @@ -258,7 +307,8 @@ The following list shows the supported values: > If you turn on this policy setting, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed. -ADMX Info: +ADMX Info: + - GP Friendly name: *Allow camera and microphone access in Microsoft Defender Application Guard* - GP name: *AllowCameraMicrophoneRedirection* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -268,22 +318,26 @@ ADMX Info: **Status** Returns bitmask that indicates status of Application Guard installation for Microsoft Edge and prerequisites on the device. -Value type is integer. Supported operation is Get. +Value type is integer. -- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. -- Bit 1 - Set to 1 when the client machine is Hyper-V capable. -- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU. -- Bit 3 - Set to 1 when Application Guard installed on the client machine. -- Bit 4 - Set to 1 when required Network Isolation Policies are configured. - > [!IMPORTANT] - > If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge. -- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements. -- Bit 6 - Set to 1 when system reboot is required. +Supported operation is Get. + +- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. +- Bit 1 - Set to 1 when the client machine is Hyper-V capable. +- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU. +- Bit 3 - Set to 1 when Application Guard installed on the client machine. +- Bit 4 - Set to 1 when required Network Isolation Policies are configured. + > [!IMPORTANT] + > If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge. +- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements. +- Bit 6 - Set to 1 when system reboot is required. **PlatformStatus** Added in Windows 10, version 2004. Applies to Microsoft Office/Generic platform. Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device. -Value type is integer. Supported operation is Get. +Value type is integer. + +Supported operation is Get. - Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. - Bit 1 - Set to 1 when the client machine is Hyper-V capable. @@ -297,7 +351,8 @@ Initiates remote installation of Application Guard feature. Supported operations are Get and Execute. -The following list shows the supported values: +The following list shows the supported values: + - Install - Will initiate feature install. - Uninstall - Will initiate feature uninstall. @@ -305,20 +360,28 @@ The following list shows the supported values: Interior node. Supported operation is Get. **Audit/AuditApplicationGuard** -This policy setting allows you to decide whether auditing events can be collected from Application Guard. +This policy setting allows you to decide whether auditing events can be collected from Application Guard. -Value type in integer. Supported operations are Add, Get, Replace, and Delete. +Value type in integer. -This policy setting is supported on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. -The following list shows the supported values: +This policy setting is supported on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. + +The following list shows the supported values: + - 0 (default) - Audit event logs aren't collected for Application Guard. - 1 - Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container. -ADMX Info: +ADMX Info: + - GP Friendly name: *Allow auditing events in Microsoft Defender Application Guard* - GP name: *AuditApplicationGuard* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index 20530b3267..056fae1e4e 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -14,6 +14,16 @@ ms.date: 08/15/2018 # WindowsLicensing CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -40,6 +50,7 @@ WindowsLicensing --------SwitchFromSMode (Added in Windows 10, version 1809) --------Status (Added in Windows 10, version 1809) ``` + **./Device/Vendor/MSFT/WindowsLicensing** This is the root node for the WindowsLicensing configuration service provider. @@ -51,21 +62,17 @@ Enters a product key for an edition upgrade of Windows 10 desktop devices. > [!NOTE] > This upgrade process requires a system restart. - - The date type is a chr. The supported operation is Exec. -When a product key is pushed from an MDM server to a user's device, **changepk.exe** runs using the product key. After it completes, a notification is shown to the user that a new edition of Windows 10 is available. The user can then restart their system manually or, after two hours, the device will restart automatically to complete the upgrade. The user will receive a reminder notification 10 minutes before the automatic restart. +When a product key is pushed from an MDM server to a user's device, **changepk.exe** runs using the product key. After it completes, a notification is shown to the user that a new edition of Windows 10 is available. The user can then restart their system manually or after two hours, the device will restart automatically to complete the upgrade. The user will receive a reminder notification 10 minutes before the automatic restart. After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade. > [!IMPORTANT] > If another policy requires a system reboot that occurs when **changepk.exe** is running, the edition upgrade will fail. - - If a product key is entered in a provisioning package and the user begins installation of the package, a notification is shown to the user that their system will restart to complete the package installation. Upon explicit consent from the user to proceed, the package continues installation and **changepk.exe** runs using the product key. The user will receive a reminder notification 30 seconds before the automatic restart. After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade. @@ -75,24 +82,22 @@ This node can also be used to activate or change a product key on a particular e > [!IMPORTANT] > The product key entered must be 29 characters (that is, it should include dashes), otherwise the activation, edition upgrade, or product key change on Windows 10 desktop devices will fail. The product key is acquired from Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal. - - The following are valid edition upgrade paths when using this node through an MDM: -- Windows 10 Enterprise to Windows 10 Education -- Windows 10 Home to Windows 10 Education -- Windows 10 Pro to Windows 10 Education -- Windows 10 Pro to Windows 10 Enterprise +- Windows 10/Windows 11 Enterprise to Windows 10/ Windows 11 Education +- Windows 10/Windows 11 Home to Windows 10/Windows 11 Education +- Windows 10/Windows 11 Pro to Windows 10/Windows 11 Education +- Windows 10/Windows 11 Pro to Windows 10/Windows 11 Enterprise Activation or changing a product key can be carried out on the following editions: -- Windows 10 Education -- Windows 10 Enterprise -- Windows 10 Home -- Windows 10 Pro +- Windows 10/Windows 11 Education +- Windows 10/Windows 11 Enterprise +- Windows 10/Windows 11 Home +- Windows 10/Windows 11 Pro **Edition** -Returns a value that maps to the Windows 10 edition. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information. +Returns a value that maps to the Windows 10 or Windows 11 edition. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information. The data type is an Int. @@ -101,11 +106,11 @@ The supported operation is Get. **Status** Returns the status of an edition upgrade on Windows devices. The status corresponds to one of the following values: -- 0 = Failed -- 1 = Pending -- 2 = In progress -- 3 = Completed -- 4 = Unknown +- 0 = Failed +- 1 = Pending +- 2 = In progress +- 3 = Completed +- 4 = Unknown The data type is an Int. @@ -136,23 +141,23 @@ The following are valid edition upgrade paths when using this node through an MD --> **LicenseKeyType** -Returns the parameter type used by Windows 10 devices for an edition upgrade, activation, or product key change. +Returns the parameter type used by Windows 10 or Windows 11 devices for an edition upgrade, activation, or product key change. -- Windows 10 client devices require a product key. +- Windows 10 or Windows 11 client devices require a product key. The data type is a chr. The supported operation is Get. **CheckApplicability** -Returns TRUE if the entered product key can be used for an edition upgrade, activation or changing a product key of Windows 10 for desktop devices. +Returns TRUE if the entered product key can be used for an edition upgrade, activation or changing a product key of Windows 10 or Windows 11 for desktop devices. The data type is a chr. The supported operation is Exec. **ChangeProductKey** -Added in Windows 10, version 1703. Installs a product key for Windows 10 desktop devices. Does not reboot. +Added in Windows 10, version 1703. Installs a product key for Windows 10 or Windows 11 desktop devices. Does not reboot. The data type is a chr. @@ -184,32 +189,37 @@ Interior node for managing S mode. **SMode/SwitchingPolicy** Added in Windows 10, version 1809. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode. For examples, see [Add S mode SwitchingPolicy](#smode-switchingpolicy-add), [Get S mode SwitchingPolicy](#smode-switchingpolicy-get), [Replace S mode SwitchingPolicy](#smode-switchingpolicy-replace) and [Delete S mode SwitchingPolicy](#smode-switchingpolicy-delete) -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -Supported values: -- 0 - No Restriction: The user is allowed to switch the device out of S mode. -- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node. +Supported operations are Add, Get, Replace, and Delete. + +Supported values: + +- 0 - No Restriction: The user is allowed to switch the device out of S mode. +- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node. **SMode/SwitchFromSMode** Added in Windows 10, version 1809. Switches a device out of S mode if possible. Does not reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute) Supported operation is Execute. -**SMode/Status** +**SMode/Status** Added in Windows 10, version 1809. Returns the status of the latest SwitchFromSMode set request. For an example, see [Get S mode status](#smode-status-example) -Value type is integer. Supported operation is Get. +Value type is integer. + +Supported operation is Get. Values: -- Request fails with error code 404 - no SwitchFromSMode request has been made. -- 0 - The device successfully switched out of S mode -- 1 - The device is processing the request to switch out of S mode -- 3 - The device was already switched out of S mode -- 4 - The device failed to switch out of S mode + +- Request fails with error code 404 - no SwitchFromSMode request has been made. +- 0 - The device successfully switched out of S mode. +- 1 - The device is processing the request to switch out of S mode. +- 3 - The device was already switched out of S mode. +- 4 - The device failed to switch out of S mode. ## SyncML examples - **CheckApplicability** ```xml @@ -235,8 +245,6 @@ Values: > [!NOTE] > `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key. - - **Edition** ```xml From 41adbd658676b789ebb12db0d54094fe92c84e9c Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Fri, 25 Mar 2022 09:18:53 +0530 Subject: [PATCH 06/24] Resolved comments --- windows/client-management/mdm/applicationcontrol-csp.md | 2 +- windows/client-management/mdm/applocker-csp.md | 2 +- windows/client-management/mdm/cellularsettings-csp.md | 2 +- windows/client-management/mdm/certificatestore-csp.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index cabf6a14e7..daf90cbbe7 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -17,7 +17,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 4b2ed6a6c1..62a83e99c6 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index a58bfbc722..ec815ec6d0 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index 253d908516..ba6c37f41f 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| From 29efe5f7958b6f634b7432f2fcc4553dd7a01b08 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Fri, 25 Mar 2022 09:44:13 +0530 Subject: [PATCH 07/24] Acrolinx fixes --- .../mdm/applicationcontrol-csp.md | 26 +++++++------- .../client-management/mdm/applocker-csp.md | 34 +++++++++---------- .../mdm/certificatestore-csp.md | 8 ++--- 3 files changed, 34 insertions(+), 34 deletions(-) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index daf90cbbe7..69126b6352 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -23,7 +23,7 @@ The table below shows the applicability of Windows: |Enterprise|Yes|Yes| |Education|Yes|Yes| -Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. +Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot. Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only. @@ -92,14 +92,14 @@ Scope is dynamic. Supported operation is Get. Value type is char. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective** -This node specifies whether a policy is actually loaded by the enforcement engine and is in effect on a system. +This node specifies whether a policy is loaded by the enforcement engine and is in effect on a system. Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: -- True — Indicates that the policy is actually loaded by the enforcement engine and is in effect on a system. -- False — Indicates that the policy is not loaded by the enforcement engine and is not in effect on a system. This is the default. +- True—Indicates that the policy is loaded by the enforcement engine and is in effect on a system. +- False—Indicates that the policy isn't loaded by the enforcement engine and isn't in effect on a system. This is the default. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed** This node specifies whether a policy is deployed on the system and is present on the physical machine. @@ -108,18 +108,18 @@ Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: -- True — Indicates that the policy is deployed on the system and is present on the physical machine. -- False — Indicates that the policy is not deployed on the system and is not present on the physical machine. This is the default. +- True—Indicates that the policy is deployed on the system and is present on the physical machine. +- False—Indicates that the policy isn't deployed on the system and isn't present on the physical machine. This is the default. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized** -This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy cannot take effect on the system. +This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy can't take effect on the system. Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: -- True — Indicates that the policy is authorized to be loaded by the enforcement engine on the system. -- False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default. +- True—Indicates that the policy is authorized to be loaded by the enforcement engine on the system. +- False—Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default. The following table provides the result of this policy based on different values of IsAuthorized, IsDeployed, and IsEffective nodes: @@ -156,7 +156,7 @@ For customers using Intune standalone or hybrid management with Microsoft Endpoi ## Generic MDM Server Usage Guidance -In order to leverage the ApplicationControl CSP without using Intune, you must: +In order to use the ApplicationControl CSP without using Intune, you must: 1. Know a generated policy's GUID, which can be found in the policy xml as `` or `` for pre-1903 systems. 2. Convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet in order to be deployed. The binary policy may be signed or unsigned. @@ -183,7 +183,7 @@ To deploy base policy and supplemental policies: 1. Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. 2. Repeat for each base or supplemental policy (with its own GUID and data). -The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy supplements and does'nt need to be reflected in the ADD). +The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy supplements and doesn't need to be reflected in the ADD). #### Example 1: Add first base policy @@ -301,7 +301,7 @@ The following is an example of Delete command: ## PowerShell and WMI Bridge Usage Guidance -The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by leveraging the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md). +The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md). ### Setup for using the WMI Bridge @@ -317,7 +317,7 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Mi ### Deploying a policy via WMI Bridge -Run the following command. PolicyID is a GUID which can be found in the policy xml, and should be used here without braces. +Run the following command. PolicyID is a GUID, which can be found in the policy xml, and should be used here without braces. ```powershell New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{ParentID="./Vendor/MSFT/ApplicationControl/Policies";InstanceID="";Policy=$policyBase64} diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 62a83e99c6..a368b2d0ec 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -24,7 +24,7 @@ The table below shows the applicability of Windows: |Enterprise|Yes|Yes| |Education|Yes|Yes| -The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There is no user interface shown for apps that are blocked. +The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There's no user interface shown for apps that are blocked. The following shows the AppLocker configuration service provider in tree format. @@ -108,7 +108,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -132,7 +132,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -151,7 +151,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -170,7 +170,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -189,7 +189,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -216,9 +216,9 @@ Supported operations are Get, Add, Delete, and Replace. > To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP. **AppLocker/EnterpriseDataProtection** -Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md). +Captures the list of apps that are allowed to handle enterprise data. Should be used with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md). -In Windows 10, version 1607, the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. +In Windows 10, version 1607, the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications aren't protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. You can set the allowed list using the following URI: @@ -237,7 +237,7 @@ Exempt examples: Additional information: -- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications. +- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator doesn't accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications. **AppLocker/EnterpriseDataProtection/_Grouping_** Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job is to determine what their purpose is, and to not conflict with other identifiers that they define. @@ -271,7 +271,7 @@ Supported operations are Get, Add, Delete, and Replace. **To find Publisher and PackageFullName of apps:** -1. On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive). +1. On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive). 2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**. The **Device Portal** page opens on your browser. @@ -279,11 +279,11 @@ Supported operations are Get, Add, Delete, and Replace. ![device portal screenshot.](images/applocker-screenshot1.png) 3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**. -4. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps. +4. On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps. ![device portal app manager.](images/applocker-screenshot3.png) -5. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. +5. If you don't see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. ![app manager.](images/applocker-screenshot2.png) @@ -295,7 +295,7 @@ The following table shows the mapping of information to the AppLocker publisher |Publisher|Publisher| |Version|Version: This can be used either in the HighSection or LowSection of the BinaryVersionRange.

HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.| -Here is an example AppLocker publisher rule: +Here's an example AppLocker publisher rule: ```xml @@ -319,7 +319,7 @@ Request URI: https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata ``` -Here is the example for Microsoft OneNote: +Here's the example for Microsoft OneNote: Request @@ -342,11 +342,11 @@ Result |--- |--- | |packageIdentityName|ProductName| |publisherCertificateName|Publisher| -|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name.

This value will only be present if there is a XAP package associated with the app in the Store.

If this value is populated then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.| +|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name.

This value will only be present if there's a XAP package associated with the app in the Store.

If this value is populated, then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.| ## Settings apps that rely on splash apps -These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps. +These apps are blocked unless they're explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps. The product name is first part of the PackageFullName followed by the version number. @@ -1285,7 +1285,7 @@ The following example for Windows 10 Holographic for Business denies all apps an ## Recommended deny list for Windows Information Protection -The following example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications. +The following example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator doesn't accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications. In this example, Contoso is the node name. We recommend using a GUID for this node. diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index ba6c37f41f..4870706fd5 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -30,7 +30,7 @@ The CertificateStore configuration service provider is used to add secure socket > The CertificateStore configuration service provider does not support installing client certificates. > The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive. -For the CertificateStore CSP, you cannot use the Replace command, unless the node already exists. +For the CertificateStore CSP, you can't use the Replace command, unless the node already exists. The following shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. @@ -131,7 +131,7 @@ Supported operation is Get. > CA/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing CA certificates. **My/User** -Defines the certificate store that contains public keys for client certificates. This is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications. +Defines the certificate store that contains public keys for client certificates. It is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications. Supported operation is Get. @@ -139,7 +139,7 @@ Supported operation is Get. > My/User is case sensitive. **My/System** -Defines the certificate store that contains public key for client certificate. This is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading. +Defines the certificate store that contains public key for client certificate. It is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading. Supported operation is Get. @@ -371,7 +371,7 @@ Optional. Specifies the URL of certificate renewal server. If this node doesn't Supported operations are Add, Get, Delete, and Replace. **My/WSTEP/Renew/RenewalPeriod** -Optional. specifies the time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server cannot set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity. +Optional. specifies the time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server can't set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity. The default value is 42 and the valid values are 1 – 1000. Value type is an integer. From 9ad5a17efaa9e7940e4e65a5877e7ba35ec97b01 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Thu, 31 Mar 2022 10:03:35 +0530 Subject: [PATCH 08/24] CSP impovement : part 2 The updates were made as per Task: 5864419. Thanks! --- .../mdm/accountmanagement-ddf.md | 7 ++- .../mdm/accounts-ddf-file.md | 11 ++-- .../mdm/activesync-ddf-file.md | 14 +---- .../mdm/alljoynmanagement-ddf.md | 14 +---- .../mdm/applicationcontrol-csp-ddf.md | 29 +++++----- .../mdm/applocker-ddf-file.md | 14 +---- .../mdm/assignedaccess-ddf.md | 18 ++----- .../mdm/bitlocker-ddf-file.md | 4 ++ .../mdm/certificatestore-ddf-file.md | 26 ++++----- windows/client-management/mdm/cleanpc-ddf.md | 16 ++---- .../mdm/clientcertificateinstall-csp.md | 24 ++++----- .../mdm/clientcertificateinstall-ddf-file.md | 53 ++++++++----------- .../client-management/mdm/wifi-ddf-file.md | 4 +- .../mdm/win32appinventory-ddf-file.md | 14 +---- .../mdm/win32compatibilityappraiser-ddf.md | 34 ++++++------ .../windowsadvancedthreatprotection-ddf.md | 34 ++++-------- .../mdm/windowsautopilot-ddf-file.md | 8 ++- ...indowsdefenderapplicationguard-ddf-file.md | 10 ++-- .../mdm/windowslicensing-ddf-file.md | 12 +++-- 19 files changed, 139 insertions(+), 207 deletions(-) diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md index c4c26237bc..51380b7ed8 100644 --- a/windows/client-management/mdm/accountmanagement-ddf.md +++ b/windows/client-management/mdm/accountmanagement-ddf.md @@ -13,7 +13,6 @@ manager: dansimp # AccountManagement DDF file - This topic shows the OMA DM device description framework (DDF) for the **AccountManagement** configuration service provider. The XML below is for Windows 10, version 1803. @@ -74,7 +73,7 @@ The XML below is for Windows 10, version 1803. false - Enable profile lifetime mangement for shared or communal device scenarios. + Enable profile lifetime management for shared or communal device scenarios. @@ -198,3 +197,7 @@ The XML below is for Windows 10, version 1803. ``` + +## Related topics + +[AccountManagement configuration service provider](accountmanagement-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md index 9d91061818..5b7cd47d49 100644 --- a/windows/client-management/mdm/accounts-ddf-file.md +++ b/windows/client-management/mdm/accounts-ddf-file.md @@ -1,6 +1,6 @@ --- title: Accounts DDF file -description: XML file containing the device description framework (DDF) for the Accounts configuration service provider. +description: View the XML file containing the device description framework (DDF) for the Accounts configuration service provider. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -13,10 +13,9 @@ manager: dansimp # Accounts CSP - This topic shows the OMA DM device description framework (DDF) for the **Accounts** configuration service provider. -The XML below is for Windows 10, version 1803. +The XML below is for Windows 10, version 1803 and later. ```xml @@ -157,7 +156,7 @@ The XML below is for Windows 10, version 1803. 1 - This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. + This optional node specifies the local user group that a local user account should be joined. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. @@ -177,3 +176,7 @@ The XML below is for Windows 10, version 1803. ``` + +## Related topics + +[Accounts configuration service provider](accounts-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md index dae70c2133..1b592ff96e 100644 --- a/windows/client-management/mdm/activesync-ddf-file.md +++ b/windows/client-management/mdm/activesync-ddf-file.md @@ -14,7 +14,6 @@ ms.date: 12/05/2017 # ActiveSync DDF file - This topic shows the OMA DM device description framework (DDF) for the **ActiveSync** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). @@ -533,7 +532,7 @@ The XML below is the current version for this CSP. - Enables or disables syncing email, contacts, task, and calendar.Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1} + Enables or disables syncing email, contacts, task, and calendar. Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1} @@ -679,15 +678,4 @@ The XML below is the current version for this CSP. ## Related topics - [ActiveSync configuration service provider](activesync-csp.md) - -  - -  - - - - - - diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md index 77494eaf9f..961f8f1183 100644 --- a/windows/client-management/mdm/alljoynmanagement-ddf.md +++ b/windows/client-management/mdm/alljoynmanagement-ddf.md @@ -14,7 +14,6 @@ ms.date: 12/05/2017 # AllJoynManagement DDF - This topic shows the OMA DM device description framework (DDF) for the **AllJoynManagement** configuration service provider. This CSP was added in Windows 10, version 1511. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). @@ -238,7 +237,7 @@ It is typically implemented as a GUID. - An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard + An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard. @@ -328,15 +327,4 @@ It is typically implemented as a GUID. ## Related topics - [AllJoynManagement configuration service provider](alljoynmanagement-csp.md) - -  - -  - - - - - - diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md index 5c44ba2dc1..2c91bf430b 100644 --- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md +++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md @@ -11,13 +11,10 @@ ms.date: 07/10/2019 # ApplicationControl CSP DDF - This topic shows the OMA DM device description framework (DDF) for the **ApplicationControl** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -### ApplicationControl CSP - ```xml - Root Node of the ApplicationControl CSP + Root Node of the ApplicationControl CSP. @@ -73,7 +70,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - The GUID of the Policy + The GUID of the Policy. @@ -97,7 +94,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - The policy binary encoded as base64 + The policy binary encoded as base64. @@ -119,7 +116,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - Information Describing the Policy indicated by the GUID + Information Describing the Policy indicated by the GUID. @@ -140,7 +137,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - Version of the Policy indicated by the GUID, as a string. When parsing use a uint64 as the containing data type + Version of the Policy indicated by the GUID, as a string. When parsing, use a uint64 as the containing data type. @@ -162,7 +159,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect) + Whether the Policy indicated by the GUID is effective on the system (loaded by the enforcement engine and in effect). @@ -184,7 +181,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - Whether the Policy indicated by the GUID is deployed on the system (on the physical machine) + Whether the Policy indicated by the GUID is deployed on the system (on the physical machine). @@ -206,7 +203,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system + Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system. @@ -228,7 +225,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - The Current Status of the Policy Indicated by the Policy GUID + The Current Status of the Policy Indicated by the Policy GUID. @@ -250,7 +247,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - The FriendlyName of the Policy Indicated by the Policy GUID + The FriendlyName of the Policy Indicated by the Policy GUID. @@ -271,4 +268,8 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic -``` \ No newline at end of file +``` + +## Related topics + +[ApplicationControl configuration service provider](applicationcontrol-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md index 7bde68650f..2f322128e5 100644 --- a/windows/client-management/mdm/applocker-ddf-file.md +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -14,7 +14,6 @@ ms.date: 12/05/2017 # AppLocker DDF file - This topic shows the OMA DM device description framework (DDF) for the **AppLocker** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). @@ -672,15 +671,4 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic ## Related topics - -[AppLocker configuration service provider](applocker-csp.md) - -  - -  - - - - - - +[AppLocker configuration service provider](applocker-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index c6d84bf203..cfd6b5f4bd 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -1,6 +1,6 @@ --- title: AssignedAccess DDF -description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider. +description: Learn about the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider. ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306 ms.reviewer: manager: dansimp @@ -14,7 +14,6 @@ ms.date: 02/22/2018 # AssignedAccess DDF - This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML. You can download the DDF files from the links below: @@ -22,7 +21,7 @@ You can download the DDF files from the links below: - [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) -The XML below is for Windows 10, version 1803. +The XML below is for Windows 10, version 1803 and later. ```xml @@ -119,7 +118,7 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu - This read only node contains kiosk health event in xml + This read only node contains kiosk health event in xml. @@ -197,15 +196,4 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu ## Related topics - [AssignedAccess configuration service provider](assignedaccess-csp.md) - -  - -  - - - - - - diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index 06e6fdd613..db4049e60e 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -937,3 +937,7 @@ Supported Values: String form of request ID. Example format of request ID is GUI ``` + +## Related topics + +[BitLocker configuration service provider](bitlocker-csp.md) diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md index da503f9902..e7ebbe235d 100644 --- a/windows/client-management/mdm/certificatestore-ddf-file.md +++ b/windows/client-management/mdm/certificatestore-ddf-file.md @@ -14,7 +14,6 @@ ms.date: 12/05/2017 # CertificateStore DDF file - This topic shows the OMA DM device description framework (DDF) for the **CertificateStore** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). @@ -458,7 +457,7 @@ The XML below is the current version for this CSP. - The base64 Encoded X.509 certificate. Note that though during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node, properly enroll a client certificate including private needs a cert enroll protocol handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key. + The base64 Encoded X.509 certificate. Note that during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node and properly enroll a client certificate including private needs a cert enroll protocol to handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key. @@ -585,7 +584,7 @@ The XML below is the current version for this CSP. - This store holds the SCEP portion of the MY store and handle operations related to SCEP certificate enrollment. + This store holds the SCEP portion of the MY store and handles operations related to SCEP certificate enrollment. @@ -627,7 +626,7 @@ The XML below is the current version for this CSP. - The group to represent the install request + The group to represent the install request. @@ -1241,7 +1240,7 @@ The XML below is the current version for this CSP. - If certificate renew fails, this node provide the last hresult code during renew process. + If certificate renew fails, this node provides the last hresult code during renew process. @@ -1262,7 +1261,7 @@ The XML below is the current version for this CSP. - Time of last attempted renew + Time of last attempted renew. @@ -1283,7 +1282,7 @@ The XML below is the current version for this CSP. - Initiate a renew now + Initiate a renew now. @@ -1305,7 +1304,7 @@ The XML below is the current version for this CSP. - How long after the enrollment cert has expiried to keep trying to renew + How long after the enrollment cert has expired to keep trying to renew. @@ -1372,7 +1371,7 @@ The XML below is the current version for this CSP. - The base64 Encoded X.509 certificate + The base64 Encoded X.509 certificate. @@ -1667,11 +1666,6 @@ The XML below is the current version for this CSP. ``` -  - -  - - - - +## Related topics +[CertificateStore configuration service provider](certificatestore-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/cleanpc-ddf.md b/windows/client-management/mdm/cleanpc-ddf.md index 1f2c1fa3f7..9e4fbdbf1b 100644 --- a/windows/client-management/mdm/cleanpc-ddf.md +++ b/windows/client-management/mdm/cleanpc-ddf.md @@ -34,7 +34,7 @@ The XML below is the current version for this CSP. - Allow removal of user installed and pre-installed applications, with option to persist user data + Allow removal of user installed and pre-installed applications, with option to persist user data. @@ -54,7 +54,7 @@ The XML below is the current version for this CSP. - CleanPC operation without any retention of User data + CleanPC operation without any retention of User data. @@ -75,7 +75,7 @@ The XML below is the current version for this CSP. - CleanPC operation with retention of User data + CleanPC operation with retention of User data. @@ -94,12 +94,6 @@ The XML below is the current version for this CSP. ``` -  - -  - - - - - +## Related topics +[CleanPC configuration service provider](cleanpc-csp.md) diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 2eb4d0d758..a28a841d41 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -1,6 +1,6 @@ --- title: ClientCertificateInstall CSP -description: The ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates. +description: Learn how the ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates. ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7 ms.reviewer: manager: dansimp @@ -19,7 +19,7 @@ The ClientCertificateInstall configuration service provider enables the enterpri For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure that enrollment execution isn't triggered until all settings are configured. The Enroll command must be the last item in the atomic block. > [!Note] -> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue. +> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store, both certificates are sent to the device in the same MDM payload and the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue. You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. @@ -99,7 +99,7 @@ The data type is an integer corresponding to one of the following values: | 1 | Install to TPM if present, fail if not present. | | 2 | Install to TPM if present. If not present, fall back to software. | | 3 | Install to software. | -| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified | +| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified. | **ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName** Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node isn't specified when Windows Hello for Business KSP is chosen, enrollment will fail. @@ -119,7 +119,7 @@ If a blob already exists, the Add operation will fail. If Replace is called on t If Add is called on this node for a new PFX, the certificate will be added. When a certificate doesn't exist, Replace operation on this node will fail. -In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in CRYPT_INTEGER_BLOB. +In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)). **ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword** Password that protects the PFX blob. This is required if the PFX is password protected. @@ -133,9 +133,9 @@ Optional. Used to specify whether the PFX certificate password is encrypted with The data type is int. Valid values: -- 0 - Password isn't encrypted. -- 1 - Password is encrypted with the MDM certificate. -- 2 - Password is encrypted with custom certificate. +- 0 - Password isn't encrypted. +- 1 - Password is encrypted with the MDM certificate. +- 2 - Password is encrypted with custom certificate. When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting. @@ -187,7 +187,7 @@ A node required for SCEP certificate enrollment. Parent node to group SCEP cert Supported operations are Get, Add, Replace, and Delete. > [!Note] -> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values. +> Although the child nodes under Install supports Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values. **ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL** Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons. @@ -322,9 +322,9 @@ Data type is string. Valid values are: -- Days (Default) -- Months -- Years +- Days (Default) +- Months +- Years > [!NOTE] > The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. @@ -608,7 +608,7 @@ Enroll a client certificate through SCEP. ``` -Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate fro "My" store. +Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate from "My" store. ```xml diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index 46bb00affa..492a95c621 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -107,7 +107,7 @@ Calling Delete on the this node, should delete the certificates and the keys tha - Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to. Supported operations are Get, Add + Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation. Supported operations are Get, Add. Datatype will be int 1- Install to TPM, fail if not present 2 – Install to TPM if present, if not present fallback to Software @@ -138,8 +138,8 @@ Calling Delete on the this node, should delete the certificates and the keys tha Optional. Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. -Format is chr -Supported operations are Get, Add, Delete and Replace +Format is chr. +Supported operations are Get, Add, Delete and Replace. @@ -165,8 +165,8 @@ Supported operations are Get, Add, Delete and Replace Required. CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation. -Format is Binary64 -Supported operations are Get, Add, Replace +Format is Binary64. +Supported operations are Get, Add, Replace. If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten. If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail. In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate @@ -197,7 +197,7 @@ CRYPT_DATA_BLOB on MSDN can be found at https://msdn.microsoft.com/library/windo Required if PFX is password protected. Password that protects the PFX blob. -Format is chr. Supported operations are Add, Get +Format is chr. Supported operations are Add, Get. @@ -228,7 +228,7 @@ If the value is 1- Password is encrypted using the MDM certificate by the MDM server 2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node. The datatype for this node is int. -Supported operations are Add, Replace +Supported operations are Add, Replace. @@ -254,7 +254,7 @@ Supported operations are Add, Replace true Optional. Used to specify if the private key installed is exportable (can be exported later). The datatype for this node is bool. -Supported operations are Add, Get +Supported operations are Add, Get. @@ -299,7 +299,7 @@ Supported operations are Add, Get Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. Datatype is int. -Support operations are Get +Support operations are Get. @@ -374,7 +374,7 @@ Support operation are Add, Get and Replace. Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. Format is node. -Supported operations are Get, Add, Delete +Supported operations are Get, Add, Delete. Calling Delete on the this node, should delete the corresponding SCEP certificate @@ -401,7 +401,7 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. Format is node. Supported operation is Add, Delete. -NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values. +NOTE: Though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values. @@ -570,7 +570,7 @@ SCEP enrolled cert doesn’t support TPM PIN protection. Supported values: Format is int. -Supported operations are Get, Add, Delete, Replace +Supported operations are Get, Add, Delete, Replace. @@ -604,7 +604,7 @@ The min value is 1. Format is int. -Supported operations are Get, Add, Delete noreplace +Supported operations are Get, Add, Delete noreplace. @@ -654,7 +654,7 @@ The min value is 0 which means no retry. Supported operations are Get, Add, Dele - Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn’t need to provide it. Format is chr. Supported operations are Get, Add, Delete.noreplace + Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn’t need to provide it. Format is chr. Supported operations are Get, Add, Delete.noreplace. @@ -819,7 +819,7 @@ NOTE: The device only sends the MDM server expected certificate validation perio 0 - Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. + Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note that the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. Format is int. @@ -852,9 +852,9 @@ NOTE: The device only sends the MDM server expected certificate validation perio Optional. Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. -Format is chr +Format is chr. -Supported operations are Get, Add, Delete and Replace +Supported operations are Get, Add, Delete and Replace. @@ -880,9 +880,9 @@ Supported operations are Get, Add, Delete and Replace Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this. -Format is chr +Format is chr. -Supported operations are Get, Add, Delete and Replace +Supported operations are Get, Add, Delete and Replace. @@ -1029,9 +1029,9 @@ Supported operation is Get. Required. Returns the URL of the SCEP server that responded to the enrollment request. -Format is String +Format is String. -Supported operation is Get +Supported operation is Get. @@ -1054,15 +1054,4 @@ Supported operation is Get ## Related topics - [ClientCertificateInstall configuration service provider](clientcertificateinstall-csp.md) - -  - -  - - - - - - diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index c64fc0e3c2..cb88b8e71a 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -15,11 +15,11 @@ ms.date: 06/28/2018 # WiFi DDF file > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **WiFi** configuration service provider. DDF files are used only with OMA DM provisioning XML. -The XML below is for Windows 10, version 1809. +The XML below is for Windows 10, version 1809 and later. ```xml diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md index a70763abb9..0f56a61d98 100644 --- a/windows/client-management/mdm/win32appinventory-ddf-file.md +++ b/windows/client-management/mdm/win32appinventory-ddf-file.md @@ -14,7 +14,6 @@ ms.date: 12/05/2017 # Win32AppInventory DDF file - This topic shows the OMA DM device description framework (DDF) for the **Win32AppInventory** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). @@ -274,15 +273,4 @@ The XML below is the current version for this CSP. ## Related topics - -[Win32AppInventory configuration service provider](win32appinventory-csp.md) - -  - -  - - - - - - +[Win32AppInventory configuration service provider](win32appinventory-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md index 05237311f1..057c668a74 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md @@ -1,6 +1,6 @@ --- title: Win32CompatibilityAppraiser DDF file -description: XML file containing the device description framework for the Win32CompatibilityAppraiser configuration service provider. +description: Learn about the XML file containing the device description framework for the Win32CompatibilityAppraiser configuration service provider. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -14,13 +14,13 @@ manager: dansimp # Win32CompatibilityAppraiser DDF file > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **Win32CompatibilityAppraiser** configuration service provider. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is for Windows 10, version 1809. +The XML below is for Windows 10, version 1809 and later. ```xml @@ -98,7 +98,7 @@ The XML below is for Windows 10, version 1809. - The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded. + The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded. @@ -120,7 +120,7 @@ The XML below is for Windows 10, version 1809. - A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces. + A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces. @@ -142,7 +142,7 @@ The XML below is for Windows 10, version 1809. - A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked. + A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked. @@ -186,7 +186,7 @@ The XML below is for Windows 10, version 1809. - An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data. The values are: 0 == "Neither the code nor data is of a sufficient version", 1 == "The code version is insufficient but the data version is sufficient", 2 == "The code version is sufficient but the data version is insufficient", and 3 == "Both the code and data are of a sufficient version". + An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data. The values are: 0 == "Neither the code nor data is of a sufficient version", 1 == "The code version is insufficient but the data version is sufficient", 2 == "The code version is sufficient but the data version is insufficient", and 3 == "Both the code and data are of a sufficient version". @@ -208,7 +208,7 @@ The XML below is for Windows 10, version 1809. - A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent. + A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent. @@ -296,7 +296,7 @@ The XML below is for Windows 10, version 1809. - An integer value representing what level of telemetry will be uploaded. The values are: 0 == "Security data will be sent", 1 == "Basic telemetry will be sent", 2 == "Enhanced telemetry will be sent", and 3 == "Full telemetry will be sent". + An integer value representing what level of telemetry will be uploaded. The values are: 0 == "Security data will be sent", 1 == "Basic telemetry will be sent", 2 == "Enhanced telemetry will be sent", and 3 == "Full telemetry will be sent". @@ -318,7 +318,7 @@ The XML below is for Windows 10, version 1809. - An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload. The values are: 0 == "Setting is disabled", 1 == "Setting is enabled", and 2 == "Setting is not applicable to this version of Windows". + An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload. The values are: 0 == "Setting is disabled", 1 == "Setting is enabled", and 2 == "Setting is not applicable to this version of Windows". @@ -340,7 +340,7 @@ The XML below is for Windows 10, version 1809. - A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data. + A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data. @@ -362,7 +362,7 @@ The XML below is for Windows 10, version 1809. - A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs. + A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs. @@ -384,7 +384,7 @@ The XML below is for Windows 10, version 1809. - An integer value representing what websites Internet Explorer will collect telemetry data for. The values are: 0 == "Telemetry collection is disabled", 1 == "Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones", 2 == "Telemetry collection is enabled for internet websites and restricted website zones", 3 == "Telemetry collection is enabled for all websites", and 0x7FFFFFFF == "Telemetry collection is not configured". + An integer value representing what websites Internet Explorer will collect telemetry data for. The values are: 0 == "Telemetry collection is disabled", 1 == "Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones", 2 == "Telemetry collection is enabled for internet websites and restricted website zones", 3 == "Telemetry collection is enabled for all websites", and 0x7FFFFFFF == "Telemetry collection is not configured". @@ -472,7 +472,7 @@ The XML below is for Windows 10, version 1809. - An integer value indicating the amount of WER data that will be uploaded. The values are: 0 == "Data will not send due to UTC opt-in", 1 == "Data will not send due to WER opt-in", 2 == "Basic WER data will send but not the complete set of data", and 3 == "The complete set of WER data will send". + An integer value indicating the amount of WER data that will be uploaded. The values are: 0 == "Data will not send due to UTC opt-in", 1 == "Data will not send due to WER opt-in", 2 == "Basic WER data will send but not the complete set of data", and 3 == "The complete set of WER data will send". @@ -494,7 +494,7 @@ The XML below is for Windows 10, version 1809. - An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted. The values are: 0 == "System telemetry settings are restricting uploads", 1 == "WER basic policies are restricting uploads", 2 == "WER advanced policies are restricting uploads", 3 == "WER consent policies are restricting uploads", and 4 == "There are no restrictive settings". + An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted. The values are: 0 == "System telemetry settings are restricting uploads", 1 == "WER basic policies are restricting uploads", 2 == "WER advanced policies are restricting uploads", 3 == "WER consent policies are restricting uploads", and 4 == "There are no restrictive settings". @@ -537,3 +537,7 @@ The XML below is for Windows 10, version 1809. ``` + +## Related topics + +[Win32CompatibilityAppraiser configuration service provider](win32compatibilityappraiser-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md index 93b378c6f0..044557e1f2 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md @@ -1,6 +1,6 @@ --- title: WindowsAdvancedThreatProtection DDF file -description: Learn how the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP). +description: Learn about the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP). ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0 ms.reviewer: manager: dansimp @@ -14,7 +14,6 @@ ms.date: 12/05/2017 # WindowsAdvancedThreatProtection DDF file - This topic shows the OMA DM device description framework (DDF) for the **WindowsAdvancedThreatProtection** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). @@ -56,7 +55,7 @@ The XML below is the current version for this CSP. - Set Windows Defender Advanced Threat Protection Onboarding blob and initiate onboarding to Windows Defender Advanced Threat Protection + Set Windows Defender Advanced Threat Protection Onboarding blob and initiate onboarding to Windows Defender Advanced Threat Protection. @@ -77,7 +76,7 @@ The XML below is the current version for this CSP. - Represents Windows Defender Advanced Threat Protection Health State + Represents Windows Defender Advanced Threat Protection Health State. @@ -119,7 +118,7 @@ The XML below is the current version for this CSP. false - Return Windows Defender Advanced Threat Protection service running state + Return Windows Defender Advanced Threat Protection service running state. @@ -141,7 +140,7 @@ The XML below is the current version for this CSP. 0 - Return Windows Defender Advanced Threat Protection onboarding state: 0 – not onboarded; 1 - onboarded + Return Windows Defender Advanced Threat Protection onboarding state: 0 – not onboarded; 1 - onboarded. @@ -184,7 +183,7 @@ The XML below is the current version for this CSP. - Represents Windows Defender Advanced Threat Protection Configuration + Represents Windows Defender Advanced Threat Protection Configuration. @@ -206,7 +205,7 @@ The XML below is the current version for this CSP. 1 - Return or set Windows Defender Advanced Threat Protection Sample Sharing configuration parameter: 0 - none, 1 - All + Return or set Windows Defender Advanced Threat Protection Sample Sharing configuration parameter: 0 - none, 1 - All. @@ -229,7 +228,7 @@ The XML below is the current version for this CSP. 1 - Return or set Windows Defender Advanced Threat Protection diagnostic data reporting frequency. Allowed values are: 1 - Normal, 2 - Expedite + Return or set Windows Defender Advanced Threat Protection diagnostic data reporting frequency. Allowed values are: 1 - Normal, 2 - Expedite. @@ -253,7 +252,7 @@ The XML below is the current version for this CSP. - Set Windows Defender Advanced Threat Protection Offboarding blob and initiate offboarding + Set Windows Defender Advanced Threat Protection Offboarding blob and initiate offboarding. @@ -274,7 +273,7 @@ The XML below is the current version for this CSP. - Represents Windows Defender Advanced Threat Protection configuration for managing role base access and device tagging + Represents Windows Defender Advanced Threat Protection configuration for managing role base access and device tagging. @@ -343,15 +342,4 @@ The XML below is the current version for this CSP. ## Related topics - -[Configuration service provider reference](configuration-service-provider-reference.md) - -  - -  - - - - - - +[WindowsAdvancedThreatProtection configuration service provider](windowsadvancedthreatprotection-csp.md) diff --git a/windows/client-management/mdm/windowsautopilot-ddf-file.md b/windows/client-management/mdm/windowsautopilot-ddf-file.md index a07f24501d..6f550affd0 100644 --- a/windows/client-management/mdm/windowsautopilot-ddf-file.md +++ b/windows/client-management/mdm/windowsautopilot-ddf-file.md @@ -14,7 +14,7 @@ manager: dansimp # WindowsAutoPilot DDF file > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the device description framework (DDF) for the **WindowsAutoPilot** configuration service provider. @@ -27,7 +27,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - These settings enable configuration of Windows Autopilot + These settings enable configuration of Windows Autopilot. @@ -74,3 +74,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic ``` + +## Related topics + +[WindowsAutopilot configuration service provider](windowsautopilot-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md index c4c0409389..d910c1b600 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md @@ -1,6 +1,6 @@ --- title: WindowsDefenderApplicationGuard DDF file -description: learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP). +description: Learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP). ms.author: dansimp ms.topic: article ms.prod: w10 @@ -14,13 +14,13 @@ manager: dansimp # WindowsDefenderApplicationGuard DDF file > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -This XML is for Windows 10, version 1809. +This XML is for Windows 10, version 1809 and later. ```xml @@ -481,3 +481,7 @@ This XML is for Windows 10, version 1809. ``` + +## Related topics + +[WindowsDefenderApplicationGuard configuration service provider](windowsdefenderapplicationguard-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index 5286cedaa2..bdce69a6f7 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -15,13 +15,13 @@ ms.date: 07/16/2017 # WindowsLicensing DDF file > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **WindowsLicensing** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is for Windows 10, version 1809. +The XML below is for Windows 10, version 1809 and later. ```xml @@ -104,7 +104,7 @@ The XML below is for Windows 10, version 1809. - Returns a value that maps to the Windows 10 edition running on devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information. + Returns a value that maps to the Windows 10 or Windows 11 edition running on devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information. @@ -128,7 +128,7 @@ The XML below is for Windows 10, version 1809. - Returns the status of an edition upgrade on Windows 10 client devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown + Returns the status of an edition upgrade on Windows 10 or Windows 11 client devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown @@ -349,3 +349,7 @@ The XML below is for Windows 10, version 1809. ``` + +## Related topics + +[WindowsLicensing configuration service provider](windowslicensing-csp.md) \ No newline at end of file From 7bcdef0327ae2e8d73f0bae15d115539d9b61c06 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Fri, 1 Apr 2022 09:18:42 +0530 Subject: [PATCH 09/24] Updated ActiveSync as per feedback --- windows/client-management/mdm/activesync-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index bb6bd752f3..15b60ded18 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| From c43af9ad5de1811e1af7a8e6473a2e395940a874 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Fri, 1 Apr 2022 12:55:27 +0530 Subject: [PATCH 10/24] Updated as per review comments --- .../mdm/cm-cellularentries-csp.md | 2 +- windows/client-management/mdm/cmpolicy-csp.md | 2 +- windows/client-management/mdm/wifi-csp.md | 2 +- .../client-management/mdm/windowsautopilot-csp.md | 14 +++++++------- .../client-management/mdm/windowslicensing-csp.md | 2 +- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 7a057f91e2..da022a5067 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index 3cf035b06c..d87631e417 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 9e1e9d883b..76b0d74e1d 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index 2bcfeacc12..a0d6174d4c 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -1,5 +1,5 @@ --- -title: WindowsAutoPilot CSP +title: WindowsAutopilot CSP description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, which results in security and privacy concerns in Autopilot. ms.assetid: E6BC6B0D-1F16-48A5-9AC4-76D69A7EDDA6 ms.reviewer: @@ -12,17 +12,17 @@ author: dansimp ms.date: 02/07/2022 --- -# WindowsAutoPilot CSP +# WindowsAutopilot CSP The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +|Home|No|Yes| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index 056fae1e4e..42c1d273f6 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| From 1a9d521eb31462b8abdae7bea45a4f64ad45d474 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Fri, 1 Apr 2022 13:12:54 +0530 Subject: [PATCH 11/24] Updated --- .../client-management/mdm/windowsautopilot-ddf-file.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/windowsautopilot-ddf-file.md b/windows/client-management/mdm/windowsautopilot-ddf-file.md index 6f550affd0..d6f71e89a4 100644 --- a/windows/client-management/mdm/windowsautopilot-ddf-file.md +++ b/windows/client-management/mdm/windowsautopilot-ddf-file.md @@ -1,6 +1,6 @@ --- -title: WindowsAutoPilot DDF file -description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, for the WindowsAutoPilot DDF file configuration service provider (CSP) . +title: WindowsAutopilot DDF file +description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, for the WindowsAutopilot DDF file configuration service provider (CSP) . ms.author: dansimp ms.topic: article ms.prod: w10 @@ -11,12 +11,12 @@ ms.reviewer: manager: dansimp --- -# WindowsAutoPilot DDF file +# WindowsAutopilot DDF file > [!WARNING] > Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic shows the device description framework (DDF) for the **WindowsAutoPilot** configuration service provider. +This topic shows the device description framework (DDF) for the **WindowsAutopilot** configuration service provider. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). From a585e6277eded864166ae4d90201ee7a05622af6 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Tue, 5 Apr 2022 11:02:15 +0530 Subject: [PATCH 12/24] As per feedback added a table --- .../mdm/clientcertificateinstall-csp.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index a28a841d41..6803c2f873 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -14,6 +14,16 @@ ms.date: 07/30/2021 # ClientCertificateInstall CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|---|---|---| +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request. For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure that enrollment execution isn't triggered until all settings are configured. The Enroll command must be the last item in the atomic block. From a0dd5a10150255386f54bef6426384a5cdbaf700 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Tue, 5 Apr 2022 11:28:27 +0530 Subject: [PATCH 13/24] Updated --- windows/client-management/mdm/cleanpc-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index c6c0b2d293..da1893f548 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|Yes|Yes| +|Pro|No|No| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| From 00e63055e9c2771c383fbd62a1c4df26447a874f Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Wed, 27 Apr 2022 11:26:16 +0530 Subject: [PATCH 14/24] Updated as per feedback --- windows/client-management/mdm/toc.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index ee13358bb5..0027a560db 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -963,10 +963,10 @@ items: items: - name: WindowsAdvancedThreatProtection DDF file href: windowsadvancedthreatprotection-ddf.md - - name: WindowsAutoPilot CSP + - name: WindowsAutopilot CSP href: windowsautopilot-csp.md items: - - name: WindowsAutoPilot DDF file + - name: WindowsAutopilot DDF file href: windowsautopilot-ddf-file.md - name: WindowsDefenderApplicationGuard CSP href: windowsdefenderapplicationguard-csp.md From 4516a5dc251b3282d8aa17d5a17e419b1f5184b7 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Mon, 2 May 2022 09:51:30 +0530 Subject: [PATCH 15/24] Updated as per review comments --- windows/client-management/mdm/cleanpc-csp.md | 2 +- windows/client-management/mdm/windowsautopilot-csp.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index da1893f548..454f964acd 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -19,7 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|No|No| -|Business|Yes|Yes| +|Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index a0d6174d4c..1f1f11f0bd 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|Yes| +|Home|No|No| |Pro|No|Yes| |Business|No|Yes| |Enterprise|No|Yes| From 3506c7eb64f0a5e9718edfb5eefc771deaf3f8b1 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Tue, 10 May 2022 08:53:39 +0530 Subject: [PATCH 16/24] Updated as per feedback --- .../mdm/configuration-service-provider-reference.md | 2 +- .../mdm/windowsdefenderapplicationguard-csp.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 56bcf98029..366de01a73 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1019,7 +1019,7 @@ Additional lists: |Home|Pro|Business|Enterprise|Education| |--- |--- |--- |--- |--- | -|No|Yes|Yes|Yes|Yes| +|No|No|Yes|Yes|Yes| diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index b816d0954d..da2a13cfa9 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|Yes|Yes| +|Pro|No|No| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| From 93894f62f5db737eafaed87c3bda492e319474a3 Mon Sep 17 00:00:00 2001 From: Priya Rakshith <96460485+PriyaRakshith@users.noreply.github.com> Date: Tue, 10 May 2022 11:33:56 +0530 Subject: [PATCH 17/24] Updated-B10 --- windows/security/information-protection/index.md | 4 ---- .../kernel-dma-protection-for-thunderbolt.md | 4 ---- .../secure-the-windows-10-boot-process.md | 5 ----- .../windows-information-protection/wip-learning.md | 6 ------ 4 files changed, 19 deletions(-) diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md index 22875d7dbf..cc9a1ce337 100644 --- a/windows/security/information-protection/index.md +++ b/windows/security/information-protection/index.md @@ -2,13 +2,9 @@ title: Information protection (Windows 10) description: Learn more about how to protect sensitive data across your organization. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/10/2018 diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 5e605bd865..1d0b0ea803 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -2,13 +2,9 @@ title: Kernel DMA Protection (Windows) description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: dansimp ms.author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index c1316fbac4..cdf5cc4a19 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -1,15 +1,10 @@ --- title: Secure the Windows boot process description: This article describes how Windows security features helps protect your PC from malware, including rootkits and other applications -keywords: trusted boot, windows boot process ms.prod: m365-security -ms.mktglfcycl: Explore -ms.pagetype: security -ms.sitesec: library ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index 0cf382492f..f243b85b06 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -1,18 +1,12 @@ --- title: Fine-tune Windows Information Policy (WIP) with WIP Learning description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company. -ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2 ms.reviewer: -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning ms.prod: m365-security -ms.mktglfcycl: -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: aczechowski ms.author: aaroncz manager: dougeby -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/26/2019 From 65878e3b25961ba6af856317a223926c778dc5fc Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Tue, 10 May 2022 14:38:46 +0530 Subject: [PATCH 18/24] updated --- .../mdm/configuration-service-provider-reference.md | 2 +- .../mdm/windowsdefenderapplicationguard-csp.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 366de01a73..e87f25aa49 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1019,7 +1019,7 @@ Additional lists: |Home|Pro|Business|Enterprise|Education| |--- |--- |--- |--- |--- | -|No|No|Yes|Yes|Yes| +|No|No|No|Yes|Yes| diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index da2a13cfa9..0ec8ff5709 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -19,7 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|No|No| -|Business|Yes|Yes| +|Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| From 854fe4e04817e3ef2b8f95ab2b57c700e01e7d97 Mon Sep 17 00:00:00 2001 From: "JerryAbo [MSFT]" <94194023+jerryabo@users.noreply.github.com> Date: Thu, 12 May 2022 16:31:56 -0500 Subject: [PATCH 19/24] Update policy-csp-devicelock.md removed unnecessary character --- windows/client-management/mdm/policy-csp-devicelock.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 17f1c7e4b9..44f87d8987 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -73,7 +73,7 @@ manager: dansimp

> [!Important] -> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For additional information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types)). +> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For additional information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types). **DeviceLock/AllowIdleReturnWithoutPassword** From 91b24d3873a2a334a9382fde44d2677f1f314f63 Mon Sep 17 00:00:00 2001 From: lizgt2000 <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 13 May 2022 13:35:07 -0400 Subject: [PATCH 20/24] fix broken links --- windows/client-management/mdm/policy-csp-audit.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 6960e68f36..1ac68b444f 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -1714,7 +1714,7 @@ The following are the supported values: -This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720. +This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see [How to use Data Protection](/dotnet/standard/security/how-to-use-data-protection). If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. If you don't configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. @@ -2862,7 +2862,7 @@ If you don't configure this policy setting, no audit event is generated when an > [!Note] > Only the System Access Control List (SACL) for SAM_SERVER can be modified. -Volume: High on domain controllers. For information about reducing the number of events generated in this subcategory, see [article 841001 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121698). +Volume: High on domain controllers. For more information about reducing the number of events generated by auditing the access of global system objects, see [Audit the access of global system objects](/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects). From ca352e2527575bb4a72a839b1569b31fa91dcf77 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Mon, 16 May 2022 08:31:54 +0530 Subject: [PATCH 21/24] PubOps comment fixes --- windows/client-management/mdm/accounts-csp.md | 2 +- windows/client-management/mdm/activesync-csp.md | 2 +- windows/client-management/mdm/alljoynmanagement-csp.md | 2 +- windows/client-management/mdm/application-csp.md | 4 ++-- windows/client-management/mdm/applicationcontrol-csp.md | 2 +- windows/client-management/mdm/applocker-csp.md | 2 +- windows/client-management/mdm/assignedaccess-csp.md | 2 +- windows/client-management/mdm/certificatestore-csp.md | 2 +- 8 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index e1714be3c1..94eba45c92 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -27,7 +27,7 @@ The Accounts configuration service provider (CSP) is used by the enterprise (1) The following syntax shows the Accounts configuration service provider in tree format. -``` +```console ./Device/Vendor/MSFT Accounts ----Domain diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index b65de09282..3cc8bc3399 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -37,7 +37,7 @@ The `./Vendor/MSFT/ActiveSync path` is deprecated, but will continue to work in The following example shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. -``` +```console ./Vendor/MSFT ActiveSync ----Accounts diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index e4676371cb..589580af1a 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -25,7 +25,7 @@ For the firewall settings, note that PublicProfile and PrivateProfile are mutual The following example shows the AllJoynManagement configuration service provider in tree format -``` +```console ./Vendor/MSFT AllJoynManagement ----Configurations diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md index b935548199..f09f6f0d3d 100644 --- a/windows/client-management/mdm/application-csp.md +++ b/windows/client-management/mdm/application-csp.md @@ -30,9 +30,9 @@ OMA considers each transport to be an application and requires a corresponding A The following list shows the supported transports: -- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md) +- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md). -- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md) +- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md). The APPID parameter differentiates these application transports. Each APPID must be registered with OMA, and any APPLICATION configuration service provider must be in the root of the provisioning document. diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index cc06d82b40..3beb09b98d 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -29,7 +29,7 @@ Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can The following example shows the ApplicationControl CSP in tree format. -``` +```console ./Vendor/MSFT ApplicationControl ----Policies diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 05f97fc04b..c70d901cd1 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -83,7 +83,7 @@ Defines restrictions for applications. > [!NOTE] > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. - +> > Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there's no requirement on the exact value of the node. > [!NOTE] diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 2300fbd281..5f61ca771d 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -40,7 +40,7 @@ In Windows 10, version 1709, the AssignedAccess configuration service provider ( The following example shows the AssignedAccess configuration service provider in tree format -``` +```console ./Vendor/MSFT AssignedAccess ----KioskModeApp diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index 8afad07519..010ec8b52d 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -34,7 +34,7 @@ For the CertificateStore CSP, you can't use the Replace command unless the node The following example shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. -``` +```console ./Vendor/MSFT CertificateStore ----ROOT From 597c3bdb70bc7e77aebdb93d13d6b96c1c3b2b05 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Mon, 16 May 2022 08:39:47 +0530 Subject: [PATCH 22/24] PubOps comment fixes --- .../mdm/win32compatibilityappraiser-csp.md | 8 ++++---- .../mdm/windowsadvancedthreatprotection-csp.md | 2 +- .../mdm/windowsdefenderapplicationguard-csp.md | 3 ++- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md index f2a5fc1a7b..b3a8915e7f 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md @@ -98,10 +98,10 @@ An integer value representing whether the installed versions of the Compatibilit The values are: -- 0 == Neither the code nor data is of a sufficient version -- 1 == The code version is insufficient but the data version is sufficient -- 2 == The code version is sufficient but the data version is insufficient -- 3 == Both the code and data are of a sufficient version +- 0 == Neither the code nor data is of a sufficient version. +- 1 == The code version is insufficient but the data version is sufficient. +- 2 == The code version is sufficient but the data version is insufficient. +- 3 == Both the code and data are of a sufficient version. Value type is integer. diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index e72179a48c..c9940fce4d 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -82,7 +82,7 @@ Supported operation is Get. The following list shows the supported values: -- 0 (default) – Not onboarded. +- 0 (default) – Not onboarded - 1 – Onboarded **HealthState/OrgId** diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 0ec8ff5709..10551772c3 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -26,7 +26,8 @@ The table below shows the applicability of Windows: The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709. The following example shows the WindowsDefenderApplicationGuard configuration service provider in tree format. -``` + +```console ./Device/Vendor/MSFT WindowsDefenderApplicationGuard ----Settings From 3c242c305d419458f6f3b1eb755b09429fbf772a Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Mon, 16 May 2022 08:42:40 +0530 Subject: [PATCH 23/24] PubOps fixes --- windows/client-management/mdm/clientcertificateinstall-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index b6b1353815..028cae12a8 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -35,7 +35,7 @@ You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLoc The following example shows the ClientCertificateInstall configuration service provider in tree format. -``` +```console ./Vendor/MSFT ClientCertificateInstall ----PFXCertInstall From fd2626397c1ed0daba73c8ca7cd61aa34d7e7225 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 May 2022 09:46:03 -0700 Subject: [PATCH 24/24] Update policy-csp-devicelock.md --- windows/client-management/mdm/policy-csp-devicelock.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 44f87d8987..398e28de31 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 05/09/2022 +ms.date: 05/16/2022 ms.reviewer: manager: dansimp ---