diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md index 0368064b89..5bab3cb32a 100644 --- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md +++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md @@ -13,11 +13,16 @@ author: cmcatee-MSFT manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.date: 03/10/2021 +ms.date: 03/16/2021 --- # Roles and permissions in Microsoft Store for Business and Education +**Applies to** + +- Windows 10 +- Windows 10 Mobile + > [!IMPORTANT] > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). @@ -31,62 +36,65 @@ This table lists the global user accounts and the permissions they have in Micro | | Global Administrator | Billing Administrator | | ------------------------------ | --------------------- | --------------------- | -| Sign up for Microsoft Store for Business and Education | X | -| Modify company profile settings | X | | -| Purchase apps | X | X | +| Sign up for Microsoft Store for Business and Education | X | X | +| Modify company profile settings | X | X | +| Purchase apps | X | X | | Distribute apps | X | X | | Purchase subscription-based software | X | X | - -**Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store. +- **Global Administrator** and **Billing Administrator** - IT Pros with these accounts have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store. -**Billing Administrator** - IT Pros with this account have the same permissions as Microsoft Store Purchaser role. +## Microsoft Store roles and permissions -## Billing account roles and permissions -There are a set of roles, managed at your billing account level, that help IT admins and employees manage access to and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store for Business. +Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store. This table lists the roles and their permissions. -| Role | Buy from

Microsoft Store | Assign

roles | Edit

account | Sign

agreements | View

account | -| ------------------------| ------ | -------- | ------ | -------| -------- | -| Billing account owner | X | X | X | X | X | -| Billing account contributor | | | X | X | X | -| Billing account reader | | | | | X | -| Signatory | | | | X | X | +| | Admin | Purchaser | Device Guard signer | +| ------------------------------ | ------ | -------- | ------------------- | +| Assign roles | X | | | +| Manage Microsoft Store for Business and Education settings | X | | | +| Acquire apps | X | X | | +| Distribute apps | X | X | | +| Sign policies and catalogs | X | | | +| Sign Device Guard changes | X | | X | - -## Purchasing roles and permissions -There are also a set of roles for purchasing and managing items bought. -This table lists the roles and their permissions. - -| Role | Buy from

Microsoft Store | Manage all items | Manage items

I buy | -| ------------| ------ | -------- | ------ | -| Purchaser | X | X | | -| Basic purchaser | X | | X | - -## Assign roles **To assign roles to people** -1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com). +1. Sign in to Microsoft Store for Business or Microsoft Store for Education. >[!Note] - >You need to be a Global Administrator, or have the Billing account owner role to access **Permissions**.  - -2. Select **Manage**, and then select **Permissions**. -3. On **Roles**, or **Purchasing roles**, select **Assign roles**. -4. Enter a name, choose the role you want to assign, and select **Save**. - If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts](manage-users-and-groups-microsoft-store-for-business.md). + >You need to be a Global Administrator, or have the Microsoft Store Admin role to access the **Permissions** page. + + To assign roles, you need to be a Global Administrator or a Store Administrator. + +2. Click **Settings**, and then choose **Permissions**. + + OR + + Click **Manage**, and then click **Permissions** on the left-hand menu. + + + +3. Click **Add people**, type a name, choose the role you want to assign, and click **Save**. + + + +4. If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md). \ No newline at end of file diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 47233d4219..f8d9e83171 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -202,6 +202,7 @@ #### [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md) #### [ADMX_EventLog](policy-csp-admx-eventlog.md) #### [ADMX_Explorer](policy-csp-admx-explorer.md) +#### [ADMX_FileRecovery](policy-csp-admx-filerecovery.md) #### [ADMX_FileServerVSSProvider](policy-csp-admx-fileservervssprovider.md) #### [ADMX_FileSys](policy-csp-admx-filesys.md) #### [ADMX_FolderRedirection](policy-csp-admx-folderredirection.md) @@ -265,6 +266,7 @@ #### [ADMX_WindowsAnytimeUpgrade](policy-csp-admx-windowsanytimeupgrade.md) #### [ADMX_WindowsConnectNow](policy-csp-admx-windowsconnectnow.md) #### [ADMX_WindowsExplorer](policy-csp-admx-windowsexplorer.md) +#### [ADMX_WindowsFileProtection](policy-csp-admx-windowsfileprotection.md) #### [ADMX_WindowsMediaDRM](policy-csp-admx-windowsmediadrm.md) #### [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md) #### [ADMX_WindowsRemoteManagement](policy-csp-admx-windowsremotemanagement.md) diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index b511fd100f..378e0e0f1e 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -13,7 +13,7 @@ author: lomayor # Azure Active Directory integration with MDM -Azure Active Directory is the world largest enterprise cloud identity management service. It’s used by millions of organizations to access Office 365 and thousands of business applications from Microsoft and third party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows 10 provides an integrated configuration experience with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in a smooth integrated flow. +Azure Active Directory is the world largest enterprise cloud identity management service. It’s used by millions of organizations to access Office 365 and thousands of business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows 10 provides an integrated configuration experience with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in a smooth integrated flow. Once a device is enrolled in MDM, the MDM can enforce compliance with corporate policies, add or remove apps, and more. Additionally, the MDM can report a device’s compliance Azure AD. This enables Azure AD to allow access to corporate resources or applications secured by Azure AD only to devices that comply with policies. To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This topic describes the steps involved. @@ -52,19 +52,19 @@ Two Azure AD MDM enrollment scenarios: In both scenarios, Azure AD is responsible for authenticating the user and the device, which provides a verified unique device identifier that can be used for MDM enrollment. -In both scenarios, the enrollment flow provides an opportunity for the MDM service to render it's own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization. +In both scenarios, the enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization. -In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It is important that MDM vendors who chose to integrate with Azure AD to respect the Windows 10 design guidelines to the letter. This includes using a responsive web design and respecting the Windows accessibility guidelines, which includes the forward and back buttons that are properly wired to the navigation logic. Additional details are provided later in this topic. +In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It is important that MDM vendors who chose to integrate with Azure AD respect the Windows 10 design guidelines to the letter. This includes using a responsive web design and respecting the Windows accessibility guidelines, which includes the forward and back buttons that are properly wired to the navigation logic. Additional details are provided later in this topic. -For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [this article](https://go.microsoft.com/fwlink/?LinkId=690246). +For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [Configure Azure MFA as authentication provider with AD FS](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa). -Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar. +Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios is similar. > [!NOTE] > Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. -### MDM endpoints involved in Azure AD integrated enrollment +### MDM endpoints involved in Azure AD–integrated enrollment Azure AD MDM enrollment is a two-step process: @@ -112,27 +112,39 @@ The keys used by the MDM application to request access tokens from Azure AD are Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery. -1. Login to the Azure Management Portal using an admin account in your home tenant. +1. Log in to the Azure Management Portal using an admin account in your home tenant. + 2. In the left navigation, click on the **Active Directory**. + 3. Click the directory tenant where you want to register the application. Ensure that you are logged into your home tenant. + 4. Click the **Applications** tab. + 5. In the drawer, click **Add**. + 6. Click **Add an application my organization is developing**. + 7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then click **Next**. + 8. Enter the login URL for your MDM service. + 9. For the App ID, enter **https://<your\_tenant\_name>/ContosoMDM**, then click OK. + 10. While still in the Azure portal, click the **Configure** tab of your application. + 11. Mark your application as **multi-tenant**. + 12. Find the client ID value and copy it. You will need this later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery. + 13. Generate a key for your application and copy it. You will need this to call the Azure AD Graph API to report device compliance. This is covered in the subsequent section. -For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667) +For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667). ### Add an on-premises MDM @@ -208,7 +220,7 @@ The following table shows the required information to create an entry in the Azu ### Add on-premises MDM to the app gallery -There are no special requirements for adding on-premises MDM to the app gallery.There is a generic entry for administrator to add an app to their tenant. +There are no special requirements for adding on-premises MDM to the app gallery. There is a generic entry for administrator to add an app to their tenant. However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. These are used to obtain authorization to access the Azure AD Graph API and for reporting device compliance. @@ -347,7 +359,8 @@ The following claims are expected in the access token passed by Windows to the T - +
+ > [!NOTE] > There is no device ID claim in the access token because the device may not yet be enrolled at this time. @@ -355,7 +368,7 @@ To retrieve the list of group memberships for the user, you can use the [Azure A Here's an example URL. -```console +```http https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0 Authorization: Bearer eyJ0eXAiOi ``` @@ -647,7 +660,7 @@ Alert sample: ## Determine when a user is logged in through polling -An alert is send to the MDM server in DM package\#1. +An alert is sent to the MDM server in DM package\#1. - Alert type - com.microsoft/MDM/LoginStatus - Alert format - chr @@ -925,5 +938,3 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di - - diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index 9732019e98..28c2b08822 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -112,8 +112,8 @@ Example: Export the Debug logs ``` -## Collect logs from Windows 10 Mobile devices - + + -## Collect logs remotely from Windows 10 Holographic or Windows 10 Mobile devices +## Collect logs remotely from Windows 10 Holographic -For holographic or mobile devices already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md). +For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md). You can use the DiagnosticLog CSP to enable the ETW provider. The provider ID is 3DA494E4-0FE2-415C-B895-FB5265C5C83B. The following examples show how to enable the ETW provider: diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index fb9c1a57d8..99f4ef73c5 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -26,9 +26,39 @@ The following are the links to different versions of the DiagnosticLog CSP DDF f - [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2) -The following diagram shows the DiagnosticLog CSP in tree format. -![diagnosticlog csp diagram](images/provisioning-csp-diagnosticlog.png) - +The following shows the DiagnosticLog CSP in tree format. +``` +./Vendor/MSFT +DiagnosticLog +----EtwLog +--------Collectors +------------CollectorName +----------------TraceStatus +----------------TraceLogFileMode +----------------TraceControl +----------------LogFileSizeLimitMB +----------------Providers +--------------------ProviderGuid +------------------------Keywords +------------------------TraceLevel +------------------------State +--------Channels +------------ChannelName +----------------Export +----------------State +----------------Filter +----DeviceStateData +--------MdmConfiguration +----FileDownload +--------DMChannel +------------FileContext +----------------BlockSizeKB +----------------BlockCount +----------------BlockIndexToRead +----------------BlockData +----------------DataBlocks +--------------------BlockNumber +``` **./Vendor/MSFT/DiagnosticLog** The root node for the DiagnosticLog CSP. diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index 4a45bf4eb2..e7e340552c 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -23,10 +23,46 @@ The DMAcc configuration service provider allows an OMA Device Management (DM) ve For the DMAcc CSP, you cannot use the Replace command unless the node already exists. -The following diagram shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol is not supported by this configuration service provider. - -![dmacc csp (dm)](images/provisioning-csp-dmacc-dm.png) +The following shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol is not supported by this configuration service provider. +``` +./SyncML +DMAcc +----* +--------AppID +--------ServerID +--------Name +--------PrefConRef +--------AppAddr +------------* +----------------Addr +----------------AddrType +----------------Port +--------------------* +------------------------PortNbr +--------AAuthPref +--------AppAuth +------------* +----------------AAuthLevel +----------------AAuthType +----------------AAuthName +----------------AAuthSecret +----------------AAuthData +--------Ext +------------Microsoft +----------------Role +----------------ProtoVer +----------------DefaultEncoding +----------------UseHwDevID +----------------ConnRetryFreq +----------------InitialBackOffTime +----------------MaxBackOffTime +----------------BackCompatRetryDisabled +----------------UseNonceResync +----------------CRLCheck +----------------DisableOnRoaming +----------------SSLCLIENTCERTSEARCHCRITERIA +``` **DMAcc** Required. Defines the root node of all OMA DM server accounts that use the OMA DM version 1.2 protocol. diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 6ed30e55f1..1f764db2bb 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -17,11 +17,50 @@ ms.date: 11/01/2017 The DMClient configuration service provider (CSP) is used to specify additional enterprise-specific mobile device management (MDM) configuration settings for identifying the device in the enterprise domain, for security mitigation for certificate renewal, and for server-triggered enterprise unenrollment. -The following diagram shows the DMClient CSP in tree format. - -![dmclient csp](images/provisioning-csp-dmclient-th2.png) - - +The following shows the DMClient CSP in tree format. +``` +./Vendor/MSFT +DMClient +----Provider +-------- +------------EntDeviceName +------------ExchangeID +------------EntDMID +------------SignedEntDMID +------------CertRenewTimeStamp +------------PublisherDeviceID +------------ManagementServiceAddress +------------UPN +------------HelpPhoneNumber +------------HelpWebsite +------------HelpEmailAddress +------------RequireMessageSigning +------------SyncApplicationVersion +------------MaxSyncApplicationVersion +------------Unenroll +------------AADResourceID +------------AADDeviceID +------------EnrollmentType +------------EnableOmaDmKeepAliveMessage +------------HWDevID +------------ManagementServerAddressList +------------CommercialID +------------Push +----------------PFN +----------------ChannelURI +----------------Status +------------Poll +----------------IntervalForFirstSetOfRetries +----------------NumberOfFirstRetries +----------------IntervalForSecondSetOfRetries +----------------NumberOfSecondRetries +----------------IntervalForRemainingScheduledRetries +----------------NumberOfRemainingScheduledRetries +----------------PollOnLogin +----------------AllUsersPollOnFirstLogin +----Unenroll +----UpdateManagementServiceAddress +``` **./Vendor/MSFT** All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path. diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index 65aeb1a961..8c5772b29c 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -1,6 +1,6 @@ --- title: DMSessionActions CSP -description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low power state. +description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low-power state. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -16,20 +16,57 @@ manager: dansimp The DMSessionActions configuration service provider (CSP) is used to manage: -- the number of sessions the client skips if the device is in a low power state +- the number of sessions the client skips if the device is in a low-power state - which CSP nodes should send an alert back to the server if there were any changes. This CSP was added in Windows 10, version 1703. -The following diagram shows the DMSessionActions configuration service provider in tree format. +The following shows the DMSessionActions configuration service provider in tree format. +``` +./User/Vendor/MSFT +DMSessionActions +----ProviderID +--------CheckinAlertConfiguration +------------Nodes +----------------NodeID +--------------------NodeURI +--------AlertData +--------PowerSettings +------------MaxSkippedSessionsInLowPowerState +------------MaxTimeSessionsSkippedInLowPowerState -![dmsessionactions csp](images/provisioning-csp-dmsessionactions.png) +./Device/Vendor/MSFT +DMSessionActions +----ProviderID +--------CheckinAlertConfiguration +------------Nodes +----------------NodeID +--------------------NodeURI +--------AlertData +--------PowerSettings +------------MaxSkippedSessionsInLowPowerState +------------MaxTimeSessionsSkippedInLowPowerState + + +./User/Vendor/MSFT +./Device/Vendor/MSFT +DMSessionActions +----ProviderID +--------CheckinAlertConfiguration +------------Nodes +----------------NodeID +--------------------NodeURI +--------AlertData +--------PowerSettings +------------MaxSkippedSessionsInLowPowerState +------------MaxTimeSessionsSkippedInLowPowerState +``` **./Device/Vendor/MSFT/DMSessionActions or ./User/Vendor/MSFT/DMSessionActions**

Defines the root node for the DMSessionActions configuration service provider.

***ProviderID*** -

Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means that there should be only one ProviderID node under NodeCache.

+

Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.

Scope is dynamic. Supported operations are Get, Add, and Delete.

@@ -55,12 +92,12 @@ The following diagram shows the DMSessionActions configuration service provider

Value type is string. Supported operation is Get.

**PowerSettings** -

Node for power related configrations

+

Node for power-related configrations

**PowerSettings/MaxSkippedSessionsInLowPowerState** -

Maximum number of continuous skipped sync sessions when the device is in low power state.

+

Maximum number of continuous skipped sync sessions when the device is in low-power state.

Value type is integer. Supported operations are Add, Get, Replace, and Delete.

**PowerSettings/MaxTimeSessionsSkippedInLowPowerState** -

Maximum time in minutes when the device can skip the check-in with the server if the device is in low power state.

+

Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.

Value type is integer. Supported operations are Add, Get, Replace, and Delete.

diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index b6fe50d931..3716a1c54a 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -17,10 +17,21 @@ Windows 10 allows you to manage devices differently depending on location, netwo This CSP was added in Windows 10, version 1703. -The following diagram shows the DynamicManagement configuration service provider in tree format. - -![dynamicmanagement csp](images/provisioning-csp-dynamicmanagement.png) - +The following shows the DynamicManagement configuration service provider in tree format. +``` +./Device/Vendor/MSFT +DynamicManagement +----NotificationsEnabled +----ActiveList +----Contexts +--------ContextID +------------SignalDefinition +------------SettingsPack +------------SettingsPackResponse +------------ContextStatus +------------Altitude +----AlertsEnabled +``` **DynamicManagement**

The root node for the DynamicManagement configuration service provider.

@@ -53,7 +64,7 @@ The following diagram shows the DynamicManagement configuration service provider

Supported operation is Get.

***ContextID*** -

Node created by the server to define a context. Maximum amount of characters allowed is 38.

+

Node created by the server to define a context. Maximum number of characters allowed is 38.

Supported operations are Add, Get, and Delete.

**SignalDefinition** @@ -65,15 +76,15 @@ The following diagram shows the DynamicManagement configuration service provider

Value type is string. Supported operations are Add, Get, Delete, and Replace.

**SettingsPackResponse** -

Response from applying a Settings Pack that contains information on each individual action..

+

Response from applying a Settings Pack that contains information on each individual action.

Value type is string. Supported operation is Get.

**ContextStatus** -

Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed..

+

Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.

Value type is integer. Supported operation is Get.

**Altitude** -

A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities..

+

A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.

Value type is integer. Supported operations are Add, Get, Delete, and Replace.

**AlertsEnabled** @@ -82,7 +93,7 @@ The following diagram shows the DynamicManagement configuration service provider ## Examples -Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100 meters radius of the specified latitude/longitude +Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100-meters radius of the specified latitude/longitude ```xml diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md index 844fc1be39..f3e4080512 100644 --- a/windows/client-management/mdm/email2-csp.md +++ b/windows/client-management/mdm/email2-csp.md @@ -22,10 +22,44 @@ On the desktop, only per user configuration is supported.   -The following diagram shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. - -![email2 csp (dm,cp)](images/provisioning-csp-email2.png) - +The following shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. +``` +./Vendor/MSFT +EMAIL2 +----Account GUID +--------ACCOUNTICON +--------ACCOUNTTYPE +--------AUTHNAME +--------AUTHREQUIRED +--------AUTHSECRET +--------DOMAIN +--------DWNDAY +--------INSERVER +--------LINGER +--------KEEPMAX +--------NAME +--------OUTSERVER +--------REPLYADDR +--------SERVICENAME +--------SERVICETYPE +--------RETRIEVE +--------SERVERDELETEACTION +--------CELLULARONLY +--------SYNCINGCONTENTTYPES +--------CONTACTSSERVER +--------CALENDARSERVER +--------CONTACTSSERVERREQUIRESSL +--------CALENDARSERVERREQUIRESSL +--------CONTACTSSYNCSCHEDULE +--------CALENDARSYNCSCHEDULE +--------SMTPALTAUTHNAME +--------SMTPALTDOMAIN +--------SMTPALTENABLED +--------SMTPALTPASSWORD +--------TAGPROPS +------------8128000B +------------812C000B +``` In Windows 10 Mobile, after the user’s out of box experience, an OEM or mobile operator can use the EMAIL2 configuration service provider to provision the device with a mobile operator’s proprietary mail over the air. After provisioning, the **Start** screen has a tile for the proprietary mail provider and there is also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status. Configuration data is not encrypted when sent over the air (OTA). Be aware that this is a potential security risk when sending sensitive configuration data, such as passwords. diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md index 6faa0a9b38..7bb30dc47f 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md @@ -18,10 +18,72 @@ ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track t The EnrollmentStatusTracking CSP was added in Windows 10, version 1903. -The following diagram shows the EnrollmentStatusTracking CSP in tree format. +The following shows the EnrollmentStatusTracking CSP in tree format. +``` +./User/Vendor/MSFT +EnrollmentStatusTracking +----Setup +--------Apps +------------PolicyProviders +----------------ProviderName +--------------------TrackingPoliciesCreated +------------Tracking +----------------ProviderName +--------------------AppName +------------------------TrackingUri +------------------------InstallationState +------------------------RebootRequired +--------HasProvisioningCompleted -![tree diagram for enrollmentstatustracking csp](images/provisioning-csp-enrollmentstatustracking.png) +./Device/Vendor/MSFT +EnrollmentStatusTracking +----DevicePreparation +--------PolicyProviders +------------ProviderName +----------------InstallationState +----------------LastError +----------------Timeout +----------------TrackedResourceTypes +--------------------Apps +----Setup +--------Apps +------------PolicyProviders +----------------ProviderName +--------------------TrackingPoliciesCreated +------------Tracking +----------------ProviderName +--------------------AppName +------------------------TrackingUri +------------------------InstallationState +------------------------RebootRequired +--------HasProvisioningCompleted + + +./User/Vendor/MSFT +./Device/Vendor/MSFT +EnrollmentStatusTracking +----DevicePreparation +--------PolicyProviders +------------ProviderName +----------------InstallationState +----------------LastError +----------------Timeout +----------------TrackedResourceTypes +--------------------Apps +----Setup +--------Apps +------------PolicyProviders +----------------ProviderName +--------------------TrackingPoliciesCreated +------------Tracking +----------------ProviderName +--------------------AppName +------------------------TrackingUri +------------------------InstallationState +------------------------RebootRequired +--------HasProvisioningCompleted +``` **./Vendor/MSFT** For device context, use **./Device/Vendor/MSFT** path and for user context, use **./User/Vendor/MSFT** path. diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index d2b3bddc1d..c271c1dbe6 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -19,10 +19,25 @@ The EnterpriseAPN configuration service provider (CSP) is used by the enterprise > [!Note] > Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions. -The following image shows the EnterpriseAPN configuration service provider in tree format. - -![enterpriseapn csp](images/provisioning-csp-enterpriseapn-rs1.png) - +The following shows the EnterpriseAPN configuration service provider in tree format. +``` +./Vendor/MSFT +EnterpriseAPN +----ConnectionName +--------APNName +--------IPType +--------IsAttachAPN +--------ClassId +--------AuthType +--------UserName +--------Password +--------IccId +--------AlwaysOn +--------Enabled +----Settings +--------AllowUserControl +--------HideView +``` **EnterpriseAPN**

The root node for the EnterpriseAPN configuration service provider.

diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index 272f60f44f..4be89ba1e5 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -15,10 +15,35 @@ manager: dansimp The EnterpriseAppVManagement configuration service provider (CSP) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions). This CSP was added in Windows 10, version 1703. -The following diagram shows the EnterpriseAppVManagement configuration service provider in tree format. - -![enterpriseappvmanagement csp](images/provisioning-csp-enterpriseappvmanagement.png) - +The following shows the EnterpriseAppVManagement configuration service provider in tree format. +``` +./Vendor/MSFT +EnterpriseAppVManagement +----AppVPackageManagement +--------EnterpriseID +------------PackageFamilyName +----------------PackageFullName +--------------------Name +--------------------Version +--------------------Publisher +--------------------InstallLocation +--------------------InstallDate +--------------------Users +--------------------AppVPackageId +--------------------AppVVersionId +--------------------AppVPackageUri +----AppVPublishing +--------LastSync +------------LastError +------------LastErrorDescription +------------SyncStatusDescription +------------SyncProgress +--------Sync +------------PublishXML +----AppVDynamicPolicy +--------ConfigurationId +------------Policy +``` **./Vendor/MSFT/EnterpriseAppVManagement**

Root node for the EnterpriseAppVManagement configuration service provider.

diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md index 45d11904d5..7221f719d1 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md @@ -22,10 +22,23 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](https://docs.microsoft.com/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983). -The following diagram shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. - -![enterpriseassignedaccess csp](images/provisioning-csp-enterpriseassignedaccess.png) - +The following shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. +``` +./Vendor/MSFT +EnterpriseAssignedAccess +----AssignedAccess +--------AssignedAccessXml +----LockScreenWallpaper +--------BGFileName +----Theme +--------ThemeBackground +--------ThemeAccentColorID +--------ThemeAccentColorValue +----Clock +--------TimeZone +----Locale +--------Language +``` The following list shows the characteristics and parameters. **./Vendor/MSFT/EnterpriseAssignedAccess/** diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 8cc8149b7f..8e674ed1e6 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -29,10 +29,22 @@ To learn more about WIP, see the following articles: - [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy) - [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip) -The following diagram shows the EnterpriseDataProtection CSP in tree format. - -![enterprisedataprotection csp diagram](images/provisioning-csp-enterprisedataprotection.png) - +The following shows the EnterpriseDataProtection CSP in tree format. +``` +./Device/Vendor/MSFT +EnterpriseDataProtection +----Settings +--------EDPEnforcementLevel +--------EnterpriseProtectedDomainNames +--------AllowUserDecryption +--------RequireProtectionUnderLockConfig +--------DataRecoveryCertificate +--------RevokeOnUnenroll +--------RMSTemplateIDForEDP +--------AllowAzureRMSForEDP +--------EDPShowIcons +----Status +``` **./Device/Vendor/MSFT/EnterpriseDataProtection** The root node for the CSP. diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index f52b397125..6a9673e330 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -19,10 +19,24 @@ The EnterpriseDesktopAppManagement configuration service provider is used to han Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example). -The following diagram shows the EnterpriseDesktopAppManagement CSP in tree format. - -![enterprisedesktopappmanagement csp](images/provisioning-csp-enterprisedesktopappmanagement.png) - +The following shows the EnterpriseDesktopAppManagement CSP in tree format. +``` +./Device/Vendor/MSFT +EnterpriseDesktopAppManagement +----MSI +--------ProductID +------------Version +------------Name +------------Publisher +------------InstallPath +------------InstallDate +------------DownloadInstall +------------Status +------------LastError +------------LastErrorDesc +--------UpgradeCode +------------Guid +``` **./Device/Vendor/MSFT/EnterpriseDesktopAppManagement** The root node for the EnterpriseDesktopAppManagement configuration service provider. diff --git a/windows/client-management/mdm/enterpriseext-csp.md b/windows/client-management/mdm/enterpriseext-csp.md index 24cadf3270..1cf7829f88 100644 --- a/windows/client-management/mdm/enterpriseext-csp.md +++ b/windows/client-management/mdm/enterpriseext-csp.md @@ -21,10 +21,23 @@ The EnterpriseExt configuration service provider allows OEMs to set their own un   -The following diagram shows the EnterpriseExt configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. - -![enterpriseext csp](images/provisioning-csp-enterpriseext.png) - +The following shows the EnterpriseExt configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. +``` +./Vendor/MSFT +EnterpriseExt +----DeviceCustomData +--------CustomID +--------CustomString +----Brightness +--------Default +--------MaxAuto +----LedAlertNotification +--------State +--------Intensity +--------Period +--------DutyCycle +--------Cyclecount +``` The following list shows the characteristics and parameters. **./Vendor/MSFT/EnterpriseExt** diff --git a/windows/client-management/mdm/enterpriseextfilessystem-csp.md b/windows/client-management/mdm/enterpriseextfilessystem-csp.md index 8f00e3fe0b..12f02b683f 100644 --- a/windows/client-management/mdm/enterpriseextfilessystem-csp.md +++ b/windows/client-management/mdm/enterpriseextfilessystem-csp.md @@ -23,10 +23,20 @@ The EnterpriseExtFileSystem configuration service provider (CSP) allows IT admin File contents are embedded directly into the syncML message, so there is a limit to the size of the file that can be retrieved from the device. The default limit is 0x100000 (1 MB). You can configure this limit by using the following registry key: **Software\\Microsoft\\Provisioning\\CSPs\\.\\Vendor\\MSFT\\EnterpriseExtFileSystem\\MaxFileReadSize**. -The following diagram shows the EnterpriseExtFileSystem configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). - -![enterpriseextfilesystem csp](images/provisioning-csp-enterpriseextfilesystem.png) - +The following shows the EnterpriseExtFileSystem configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). +``` +./Vendor/MSFT +EnterpriseExtFileSystem +----Persistent +--------Files_abc1 +--------Directory_abc2 +----NonPersistent +--------Files_abc3 +--------Directory_abc4 +----OemProfile +--------Directory_abc5 +--------Files_abc6 +``` The following list describes the characteristics and parameters. **./Vendor/MSFT/EnterpriseExtFileSystem** diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 77b6e72ff9..ee9026f5a7 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -19,10 +19,51 @@ The EnterpriseModernAppManagement configuration service provider (CSP) is used f > [!Note] > Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP. -The following image shows the EnterpriseModernAppManagement configuration service provider in tree format. - -![enterprisemodernappmanagement csp diagram](images/provisioning-csp-enterprisemodernappmanagement.png) - +The following shows the EnterpriseModernAppManagement configuration service provider in tree format. +``` +./Vendor/MSFT +EnterpriseModernAppManagement +----AppManagement +--------EnterpriseID +------------PackageFamilyName +----------------PackageFullName +--------------------Name +--------------------Version +--------------------Publisher +--------------------Architecture +--------------------InstallLocation +--------------------IsFramework +--------------------IsBundle +--------------------InstallDate +--------------------ResourceID +--------------------PackageStatus +--------------------RequiresReinstall +--------------------Users +--------------------IsProvisioned +----------------DoNotUpdate +----------------AppSettingPolicy +--------------------SettingValue +--------UpdateScan +--------LastScanError +--------AppInventoryResults +--------AppInventoryQuery +----AppInstallation +--------PackageFamilyName +------------StoreInstall +------------HostedInstall +------------LastError +------------LastErrorDesc +------------Status +------------ProgressStatus +----AppLicenses +--------StoreLicenses +------------LicenseID +----------------LicenseCategory +----------------LicenseUsage +----------------RequesterID +----------------AddLicense +----------------GetLicenseFromStore +``` **Device or User context** For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path. diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 1f42e3e43d..9ce12f6be8 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -16,10 +16,30 @@ manager: dansimp The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709. -The following diagram shows the eUICCs configuration service provider in tree format. - -![euiccs csp](images/provisioning-csp-euiccs.png) - +The following shows the eUICCs configuration service provider in tree format. +``` +./Device/Vendor/MSFT +eUICCs +----eUICC +--------Identifier +--------IsActive +--------PPR1Allowed +--------PPR1AlreadySet +--------Profiles +------------ICCID +----------------ServerName +----------------MatchingID +----------------State +----------------IsEnabled +----------------PPR1Set +----------------PPR2Set +----------------ErrorDetail +--------Policies +------------LocalUIEnabled +--------Actions +------------ResetToFactoryState +------------Status +``` **./Vendor/MSFT/eUICCs** Root node. diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index bf8a5ea5ad..0e039ef35a 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -20,10 +20,88 @@ Firewall rules in the FirewallRules section must be wrapped in an Atomic block i For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](https://msdn.microsoft.com/library/mt620101.aspx). -The following diagram shows the Firewall configuration service provider in tree format. - -![firewall csp](images/provisioning-csp-firewall.png) - +The following shows the Firewall configuration service provider in tree format. +``` +./Vendor/MSFT +Firewall +---- +--------Global +------------PolicyVersionSupported +------------CurrentProfiles +------------DisableStatefulFtp +------------SaIdleTime +------------PresharedKeyEncoding +------------IPsecExempt +------------CRLcheck +------------PolicyVersion +------------BinaryVersionSupported +------------OpportunisticallyMatchAuthSetPerKM +------------EnablePacketQueue +--------DomainProfile +------------EnableFirewall +------------DisableStealthMode +------------Shielded +------------DisableUnicastResponsesToMulticastBroadcast +------------DisableInboundNotifications +------------AuthAppsAllowUserPrefMerge +------------GlobalPortsAllowUserPrefMerge +------------AllowLocalPolicyMerge +------------AllowLocalIpsecPolicyMerge +------------DefaultOutboundAction +------------DefaultInboundAction +------------DisableStealthModeIpsecSecuredPacketExemption +--------PrivateProfile +------------EnableFirewall +------------DisableStealthMode +------------Shielded +------------DisableUnicastResponsesToMulticastBroadcast +------------DisableInboundNotifications +------------AuthAppsAllowUserPrefMerge +------------GlobalPortsAllowUserPrefMerge +------------AllowLocalPolicyMerge +------------AllowLocalIpsecPolicyMerge +------------DefaultOutboundAction +------------DefaultInboundAction +------------DisableStealthModeIpsecSecuredPacketExemption +--------PublicProfile +------------EnableFirewall +------------DisableStealthMode +------------Shielded +------------DisableUnicastResponsesToMulticastBroadcast +------------DisableInboundNotifications +------------AuthAppsAllowUserPrefMerge +------------GlobalPortsAllowUserPrefMerge +------------AllowLocalPolicyMerge +------------AllowLocalIpsecPolicyMerge +------------DefaultOutboundAction +------------DefaultInboundAction +------------DisableStealthModeIpsecSecuredPacketExemption +--------FirewallRules +------------FirewallRuleName +----------------App +--------------------PackageFamilyName +--------------------FilePath +--------------------Fqbn +--------------------ServiceName +----------------Protocol +----------------LocalPortRanges +----------------RemotePortRanges +----------------LocalAddressRanges +----------------RemoteAddressRanges +----------------Description +----------------Enabled +----------------Profiles +----------------Action +--------------------Type +----------------Direction +----------------InterfaceTypes +----------------EdgeTraversal +----------------LocalUserAuthorizationList +----------------FriendlyName +----------------IcmpTypesAndCodes +----------------Status +----------------Name +``` **./Vendor/MSFT/Firewall**

Root node for the Firewall configuration service provider.

diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index f128954ea6..3463de078b 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -37,7 +37,7 @@ The following is a list of functions performed by the Device HealthAttestation C **DHA-Session (Device HealthAttestation session)**

The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.

-

The following list of transactions are performed in one DHA-Session:

+

The following list of transactions is performed in one DHA-Session: