diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 920d7a356c..d9d9223bc1 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -16546,9 +16546,10 @@ "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr", + "source_path": "windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-enterprise.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference", "redirect_document_id": false - } - ] + }, + + ] } diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index b0304c8c7e..47233d4219 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -159,16 +159,15 @@ ### [Personalization CSP](personalization-csp.md) #### [Personalization DDF file](personalization-ddf.md) ### [Policy CSP](policy-configuration-service-provider.md) -#### [Policy CSP DDF file](policy-ddf-file.md) -#### [Policies in Policy CSP supported by Group Policy](policies-in-policy-csp-supported-by-group-policy.md) -#### [ADMX-backed policies in Policy CSP](policies-in-policy-csp-admx-backed.md) -#### [Policies in Policy CSP supported by HoloLens 2](policies-in-policy-csp-supported-by-hololens2.md) -#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md) -#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md) -#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policies-in-policy-csp-supported-by-iot-enterprise.md) -#### [Policies in Policy CSP supported by Windows 10 IoT Core](policies-in-policy-csp-supported-by-iot-core.md) -#### [Policies in Policy CSP supported by Microsoft Surface Hub](policies-in-policy-csp-supported-by-surface-hub.md) -#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policies-in-policy-csp-that-can-be-set-using-eas.md) +#### [Policy DDF file](policy-ddf-file.md) +#### [Policies in Policy CSP supported by Group Policy](policy-csps-supported-by-group-policy.md) +#### [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md) +#### [Policies in Policy CSP supported by HoloLens 2](policy-csps-supported-by-hololens2.md) +#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md) +#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) +#### [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md) +#### [Policies in Policy CSP supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md) +#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md) #### [AboveLock](policy-csp-abovelock.md) #### [Accounts](policy-csp-accounts.md) #### [ActiveXControls](policy-csp-activexcontrols.md) diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 455f749b5b..498abd7018 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -11,15 +11,24 @@ ms.reviewer: manager: dansimp --- -# Accounts CSP +# Accounts Configuration Service Provider The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803. -The following diagram shows the Accounts configuration service provider in tree format. +The following shows the Accounts configuration service provider in tree format. -![Accounts CSP diagram](images/provisioning-csp-accounts.png) +``` +./Device/Vendor/MSFT +Accounts +----Domain +--------ComputerName +----Users +--------UserName +------------Password +------------LocalUserGroup +``` **./Device/Vendor/MSFT/Accounts** Root node. diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index 37f6157570..2021cdcfce 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -28,9 +28,39 @@ The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in th -The following diagram shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. +The following shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. -![activesync csp (cp)](images/provisioning-csp-activesync-cp.png) +``` +./Vendor/MSFT +ActiveSync +----Accounts +--------Account GUID +------------EmailAddress +------------Domain +------------AccountIcon +------------AccountType +------------AccountName +------------Password +------------ServerName +------------UserName +------------Options +----------------CalendarAgeFilter +----------------Logging +----------------MailBodyType +----------------MailHTMLTruncation +----------------MailPlainTextTruncation +----------------Schedule +----------------UseSSL +----------------MailAgeFilter +----------------ContentTypes +--------------------Content Type GUID +------------------------Enabled +------------------------Name +------------Policies +----------------MailBodyType +----------------MaxMailAgeFilter + +``` **./User/Vendor/MSFT/ActiveSync** The root node for the ActiveSync configuration service provider. diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index e4d45bd4fd..0ecc06657f 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -26,9 +26,37 @@ This CSP was added in Windows 10, version 1511. For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877). -The following diagram shows the AllJoynManagement configuration service provider in tree format +The following shows the AllJoynManagement configuration service provider in tree format -![alljoynmanagement csp diagram](images/provisioning-csp-alljoynmanagement.png) +``` +./Vendor/MSFT +AllJoynManagement +----Configurations +--------ServiceID +------------Port +----------------PortNum +--------------------ConfigurableObjects +------------------------CfgObjectPath +----Credentials +--------ServiceID +------------Key +----Firewall +--------PublicProfile +--------PrivateProfile +----Services +--------ServiceID +------------AppId +------------DeviceId +------------AppName +------------Manufacturer +------------ModelNumber +------------Description +------------SoftwareVersion +------------AJSoftwareVersion +------------HardwareVersion +----Options +--------QueryIdleTime +``` The following list describes the characteristics and parameters. diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 2c64c89cd9..5e15f4ebcb 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -1,6 +1,6 @@ --- title: ApplicationControl CSP -description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from a MDM server. +description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from an MDM server. keywords: security, malware ms.author: dansimp ms.topic: article @@ -16,10 +16,33 @@ ms.date: 09/10/2020 Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only. -The following diagram shows the ApplicationControl CSP in tree format. - -![tree diagram for applicationcontrol csp](images/provisioning-csp-applicationcontrol.png) +The following shows the ApplicationControl CSP in tree format. +``` +./Vendor/MSFT +ApplicationControl +----Policies +--------Policy GUID +------------Policy +------------PolicyInfo +----------------Version +----------------IsEffective +----------------IsDeployed +----------------IsAuthorized +----------------Status +----------------FriendlyName +------------Token +----------------TokenID +----Tokens +--------ID +------------Token +------------TokenInfo +----------------Status +------------PolicyIDs +----------------Policy GUID +----TenantID +----DeviceID +``` **./Vendor/MSFT/ApplicationControl** Defines the root node for the ApplicationControl CSP. @@ -125,7 +148,7 @@ In order to leverage the ApplicationControl CSP without using Intune, you must: 1. Know a generated policy's GUID, which can be found in the policy xml as `` or `` for pre-1903 systems. 2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. -3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool. +3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command-line tool. Below is a sample certutil invocation: @@ -141,7 +164,7 @@ An alternative to using certutil would be to use the following PowerShell invoca ### Deploy Policies -To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below. +To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the Format section in the Example 1 below. To deploy base policy and supplemental policies: diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 362aae37c3..b1dafaaabd 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -17,10 +17,54 @@ ms.date: 11/19/2019 The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There is no user interface shown for apps that are blocked. -The following diagram shows the AppLocker configuration service provider in tree format. - -![applocker csp](images/provisioning-csp-applocker.png) - +The following shows the AppLocker configuration service provider in tree format. +``` +./Vendor/MSFT +AppLocker +----ApplicationLaunchRestrictions +--------Grouping +------------EXE +----------------Policy +----------------EnforcementMode +----------------NonInteractiveProcessEnforcement +------------MSI +----------------Policy +----------------EnforcementMode +------------Script +----------------Policy +----------------EnforcementMode +------------StoreApps +----------------Policy +----------------EnforcementMode +------------DLL +----------------Policy +----------------EnforcementMode +----------------NonInteractiveProcessEnforcement +------------CodeIntegrity +----------------Policy +----EnterpriseDataProtection +--------Grouping +------------EXE +----------------Policy +------------StoreApps +----------------Policy +----LaunchControl +--------Grouping +------------EXE +----------------Policy +----------------EnforcementMode +------------StoreApps +----------------Policy +----------------EnforcementMode +----FamilySafety +--------Grouping +------------EXE +----------------Policy +----------------EnforcementMode +------------StoreApps +----------------Policy +----------------EnforcementMode +``` **./Vendor/MSFT/AppLocker** Defines the root node for the AppLocker configuration service provider. diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 3a48ac399e..d668351c0c 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -29,10 +29,17 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u > [!Note] > The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition. -The following diagram shows the AssignedAccess configuration service provider in tree format - -![assignedaccess csp diagram](images/provisioning-csp-assignedaccess.png) +The following shows the AssignedAccess configuration service provider in tree format +``` +./Vendor/MSFT +AssignedAccess +----KioskModeApp +----Configuration (Added in Windows 10, version 1709) +----Status (Added in Windows 10, version 1803) +----ShellLauncher (Added in Windows 10, version 1803) +----StatusConfiguration (Added in Windows 10, version 1803) +``` **./Device/Vendor/MSFT/AssignedAccess** Root node for the CSP. diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 03a48da95f..3dc150f3d9 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -24,11 +24,29 @@ the setting configured by the admin. For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength). -The following diagram shows the BitLocker configuration service provider in tree format. - -![BitLocker csp](images/provisioning-csp-bitlocker.png) - - +The following shows the BitLocker configuration service provider in tree format. +``` +./Device/Vendor/MSFT +BitLocker +----RequireStorageCardEncryption +----RequireDeviceEncryption +----EncryptionMethodByDriveType +----SystemDrivesRequireStartupAuthentication +----SystemDrivesMinimumPINLength +----SystemDrivesRecoveryMessage +----SystemDrivesRecoveryOptions +----FixedDrivesRecoveryOptions +----FixedDrivesRequireEncryption +----RemovableDrivesRequireEncryption +----AllowWarningForOtherDiskEncryption +----AllowStandardUserEncryption +----ConfigureRecoveryPasswordRotation +----RotateRecoveryPasswords +----Status +--------DeviceEncryptionStatus +--------RotateRecoveryPasswordsStatus +--------RotateRecoveryPasswordsRequestID +``` **./Device/Vendor/MSFT/BitLocker** Defines the root node for the BitLocker configuration service provider. diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index f709de39d0..35dea13837 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -25,10 +25,87 @@ The CertificateStore configuration service provider is used to add secure socket For the CertificateStore CSP, you cannot use the Replace command unless the node already exists. -The following diagram shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. - -![provisioning\-csp\-certificatestore](images/provisioning-csp-certificatestore.png) +The following shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. +``` +./Vendor/MSFT +CertificateStore +----ROOT +--------* +------------EncodedCertificate +------------IssuedBy +------------IssuedTo +------------ValidFrom +------------ValidTo +------------TemplateName +--------System +------------* +----------------EncodedCertificate +----------------IssuedBy +----------------IssuedTo +----------------ValidFrom +----------------ValidTo +----------------TemplateName +----MY +--------User +------------* +----------------EncodedCertificate +----------------IssuedBy +----------------IssuedTo +----------------ValidFrom +----------------ValidTo +----------------TemplateName +--------SCEP +------------* +----------------Install +--------------------ServerURL +--------------------Challenge +--------------------EKUMapping +--------------------KeyUsage +--------------------SubjectName +--------------------KeyProtection +--------------------RetryDelay +--------------------RetryCount +--------------------TemplateName +--------------------KeyLength +--------------------HashAlgrithm +--------------------CAThumbPrint +--------------------SubjectAlternativeNames +--------------------ValidPeriod +--------------------ValidPeriodUnit +--------------------Enroll +----------------CertThumbPrint +----------------Status +----------------ErrorCode +--------WSTEP +------------CertThumprint +------------Renew +----------------RenewPeriod +----------------ServerURL +----------------RetryInterval +----------------ROBOSupport +----------------Status +----------------ErrorCode +----------------LastRenewalAttemptTime (Added in Windows 10, version 1607) +----------------RenewNow (Added in Windows 10, version 1607) +----------------RetryAfterExpiryInterval (Added in Windows 10, version 1703) +----CA +--------* +------------EncodedCertificate +------------IssuedBy +------------IssuedTo +------------ValidFrom +------------ValidTo +------------TemplateName +--------System +------------* +----------------EncodedCertificate +----------------IssuedBy +----------------IssuedTo +----------------ValidFrom +----------------ValidTo +----------------TemplateName +``` **Root/System** Defines the certificate store that contains root, or self-signed, certificates. diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index c70da05dae..a4433c6dcf 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -15,10 +15,13 @@ manager: dansimp The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703. -The following diagram shows the CleanPC configuration service provider in tree format. - -![CleanPC csp diagram](images/provisioning-csp-cleanpc.png) - +The following shows the CleanPC configuration service provider in tree format. +``` +./Device/Vendor/MSFT +CleanPC +----CleanPCWithoutRetainingUserData +----CleanPCRetainingUserData +``` **./Device/Vendor/MSFT/CleanPC**

The root node for the CleanPC configuration service provider.

diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 0337dad577..577ec89810 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -23,10 +23,48 @@ For PFX certificate installation and SCEP installation, the SyncML commands must You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. -The following image shows the ClientCertificateInstall configuration service provider in tree format. - -![clientcertificateinstall csp](images/provisioning-csp-clientcertificateinstall.png) - +The following shows the ClientCertificateInstall configuration service provider in tree format. +``` +./Vendor/MSFT +ClientCertificateInstall +----PFXCertInstall +--------UniqueID +------------KeyLocation +------------ContainerName +------------PFXCertBlob +------------PFXCertPassword +------------PFXCertPasswordEncryptionType +------------PFXKeyExportable +------------Thumbprint +------------Status +------------PFXCertPasswordEncryptionStore (Added in Windows 10, version 1511) +----SCEP +--------UniqueID +------------Install +----------------ServerURL +----------------Challenge +----------------EKUMapping +----------------KeyUsage +----------------SubjectName +----------------KeyProtection +----------------RetryDelay +----------------RetryCount +----------------TemplateName +----------------KeyLength +----------------HashAlgorithm +----------------CAThumbprint +----------------SubjectAlternativeNames +----------------ValidPeriod +----------------ValidPeriodUnits +----------------ContainerName +----------------CustomTextToShowInPrompt +----------------Enroll +----------------AADKeyIdentifierList (Added in Windows 10, version 1703) +------------CertThumbprint +------------Status +------------ErrorCode +------------RespondentServerUrl +``` **Device or User** For device certificates, use ./Device/Vendor/MSFT path and for user certificates use ./User/Vendor/MSFT path. diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md index 816b5c188b..0ebc77be54 100644 --- a/windows/client-management/mdm/cm-proxyentries-csp.md +++ b/windows/client-management/mdm/cm-proxyentries-csp.md @@ -25,10 +25,41 @@ The CM\_ProxyEntries configuration service provider is used to configure proxy c -The following diagram shows the CM\_ProxyEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP) and OMA Device Management(OMA DM). Support for OMA DM was added in Windows 10, version 1607. +The following shows the CM\_ProxyEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP) and OMA Device Management(OMA DM). Support for OMA DM was added in Windows 10, version 1607. -![cm\-proxyentries csp (cp)](images/provisioning-csp-cm-proxyentries-cp.png) +``` +./Vendor/MSFT +CM_ProxyEntries +----Entry +--------ConnectionName +--------BypassLocal +--------Enable +--------Exception +--------Password +--------Port +--------Server +--------Type +--------Username + +./Device/Vendor/MSFT +Root + + +./Vendor/MSFT +./Device/Vendor/MSFT +CM_ProxyEntries +----Entry +--------ConnectionName +--------BypassLocal +--------Enable +--------Exception +--------Password +--------Port +--------Server +--------Type +--------Username +``` **entryname** Defines the name of the connection proxy. diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index 67872d03da..d1ffec49d7 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -28,10 +28,21 @@ Each policy entry identifies one or more applications in combination with a host **Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN. -The following diagram shows the CMPolicy configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management. - -![cmpolicy csp (dm,cp)](images/provisioning-csp-cmpolicy.png) +The following shows the CMPolicy configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management. +``` +./Vendor/MSFT +CMPolicy +----PolicyName +--------SID +--------ClientType +--------Host +--------OrderedConnections +--------Connections +------------ConnXXX +----------------ConnectionID +----------------Type +``` ***policyName*** Defines the name of the policy. @@ -64,7 +75,7 @@ Specifies whether the list of connections is in preference order. A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference. **Conn***XXX* -Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004". +Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits, which increment starting from "000". For example, a policy, which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004". **ConnectionID** Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter. @@ -173,11 +184,11 @@ For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network typ

{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}

-

Ethernet 10Mbps

+

Ethernet 10 Mbps

{97D3D1B3-854A-4C32-BD1C-C13069078370}

-

Ethernet 100Mbps

+

Ethernet 100 Mbps

{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}

@@ -486,14 +497,14 @@ Adding a host-based mapping policy:

Yes

-

nocharacteristic

+

uncharacteristic

Yes

characteristic-query

Yes

Recursive query: Yes

-

Top level query: Yes

+

Top-level query: Yes

diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index df773dcb43..ebf14d1e7f 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -28,10 +28,20 @@ Each policy entry identifies one or more applications in combination with a host **Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN. -The following diagram shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management. - -![cmpolicy csp (dm,cp)](images/provisioning-csp-cmpolicyenterprise.png) - +The following shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management. +``` +./Vendor/MSFT +CMPolicy +----PolicyName +--------SID +--------ClientType +--------Host +--------OrderedConnections +--------Connections +------------ConnXXX +----------------ConnectionID +----------------Type +``` ***policyName*** Defines the name of the policy. diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index 17b165ed51..c108d8f343 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -15,12 +15,16 @@ ms.date: 06/26/2017 # CustomDeviceUI CSP The CustomDeviceUI configuration service provider allows OEMs to implement their custom foreground application, as well as the background tasks to run on an IoT device running IoT Core. Only one foreground application is supported per device. Multiple background tasks are supported. -The following diagram shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. +The following shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. > **Note**  This configuration service provider only applies to Windows 10 IoT Core (IoT Core). - -![customdeviceui csp](images/provisioning-csp-customdeviceui.png) - +``` +./Vendor/MSFT +CustomDeviceUI +----StartupAppID +----BackgroundTasksToLaunch +--------BackgroundTaskPackageName +``` **./Vendor/MSFT/CustomDeviceUI** The root node for the CustomDeviceUI configuration service provider. The supported operation is Get. diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 040bf33710..8a3242f3d3 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -20,10 +20,49 @@ ms.date: 08/11/2020 The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. -The following image shows the Windows Defender configuration service provider in tree format. - -![defender csp diagram](images/provisioning-csp-defender.png) - +The following shows the Windows Defender configuration service provider in tree format. +``` +./Vendor/MSFT +Defender +----Detections +--------ThreatId +------------Name +------------URL +------------Severity +------------Category +------------CurrentStatus +------------ExecutionStatus +------------InitialDetectionTime +------------LastThreatStatusChangeTime +------------NumberOfDetections +----Health +--------ProductStatus (Added in Windows 10 version 1809) +--------ComputerState +--------DefenderEnabled +--------RtpEnabled +--------NisEnabled +--------QuickScanOverdue +--------FullScanOverdue +--------SignatureOutOfDate +--------RebootRequired +--------FullScanRequired +--------EngineVersion +--------SignatureVersion +--------DefenderVersion +--------QuickScanTime +--------FullScanTime +--------QuickScanSigVersion +--------FullScanSigVersion +--------TamperProtectionEnabled (Added in Windows 10, version 1903) +--------IsVirtualMachine (Added in Windows 10, version 1903) +----Configuration (Added in Windows 10, version 1903) +--------TamperProetection (Added in Windows 10, version 1903) +--------EnableFileHashcomputation (Added in Windows 10, version 1903) +--------SupportLogLocation (Added in the next major release of Windows 10) +----Scan +----UpdateSignature +----OfflineScan (Added in Windows 10 version 1803) +``` **Detections** An interior node to group all threats detected by Windows Defender. diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index bd3238fb32..5337bb0cfd 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -21,10 +21,43 @@ The DevDetail configuration service provider handles the management object which For the DevDetail CSP, you cannot use the Replace command unless the node already exists. -The following diagram shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol is not supported for this configuration service provider. - -![devdetail csp (dm)](images/provisioning-csp-devdetail-dm.png) - +The following shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol is not supported for this configuration service provider. +``` +. +DevDetail +----URI +--------MaxDepth +--------MaxTotLen +--------MaxSegLen +----DevTyp +----OEM +----FwV +----SwV +----HwV +----LrgObj +----Ext +--------Microsoft +------------MobileID +------------RadioSwV +------------Resolution +------------CommercializationOperator +------------ProcessorArchitecture +------------ProcessorType +------------OSPlatform +------------LocalTime +------------DeviceName +------------DNSComputerName (Added in Windows 10, version 2004) +------------TotalStorage +------------TotalRAM +------------SMBIOSSerialNumber (Added in Windows 10, version 1809) +--------WLANMACAddress +--------VoLTEServiceSetting +--------WlanIPv4Address +--------WlanIPv6Address +--------WlanDnsSuffix +--------WlanSubnetMask +--------DeviceHardwareData (Added in Windows 10, version 1703) +``` **DevTyp** Required. Returns the device model name /SystemProductName as a string. diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md index 40e1d4d82e..382d2d379a 100644 --- a/windows/client-management/mdm/developersetup-csp.md +++ b/windows/client-management/mdm/developersetup-csp.md @@ -19,10 +19,21 @@ The DeveloperSetup configuration service provider (CSP) is used to configure Dev > [!NOTE] > The DeveloperSetup configuration service provider (CSP) is only supported in Windows 10 Holographic Enterprise edition and with runtime provisioning via provisioning packages. It is not supported in MDM. -The following diagram shows the DeveloperSetup configuration service provider in tree format. - -![developersetup csp diagram](images/provisioning-csp-developersetup.png) - +The following shows the DeveloperSetup configuration service provider in tree format. +``` +./Device/Vendor/MSFT +DeveloperSetup +----EnableDeveloperMode +----DevicePortal +--------Authentication +------------Mode +------------BasicAuth +----------------Username +----------------Password +--------Connection +------------HttpPort +------------HttpsPort +``` **DeveloperSetup**

The root node for the DeveloperSetup configuration service provider. diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md index 3bf0368ffd..99d2930eff 100644 --- a/windows/client-management/mdm/devicemanageability-csp.md +++ b/windows/client-management/mdm/devicemanageability-csp.md @@ -1,6 +1,6 @@ --- title: DeviceManageability CSP -description: The DeviceManageability configuration service provider (CSP) is used retrieve general information about MDM configuration capabilities on the device. +description: The DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device. ms.assetid: FE563221-D5B5-4EFD-9B60-44FE4066B0D2 ms.reviewer: manager: dansimp @@ -15,14 +15,21 @@ ms.date: 11/01/2017 # DeviceManageability CSP -The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607. +The DeviceManageability configuration service provider (CSP) is used to retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607. -For performance reasons DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information. - -The following diagram shows the DeviceManageability configuration service provider in a tree format. - -![devicemanageability csp diagram](images/provisioning-csp-devicemanageability.png) +For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information. +The following shows the DeviceManageability configuration service provider in a tree format. +``` +./Device/Vendor/MSFT +DeviceManageability +----Capabilities +--------CSPVersions +----Provider (Added in Windows 10, version 1709) +--------ProviderID (Added in Windows 10, version 1709) +------------ConfigInfo (Added in Windows 10, version 1709) +------------EnrollmentInfo (Added in Windows 10, version 1709) +``` **./Device/Vendor/MSFT/DeviceManageability** Root node to group information about runtime MDM configuration capability on the target device. diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 6ab35ba018..826af867cb 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -17,10 +17,52 @@ ms.date: 04/30/2019 The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies. -The following image shows the DeviceStatus configuration service provider in tree format. - -![devicestatus csp](images/provisioning-csp-devicestatus.png) - +The following shows the DeviceStatus configuration service provider in tree format. +``` +./Vendor/MSFT +DeviceStatus +----SecureBootState +----CellularIdentities +--------IMEI +------------IMSI +------------ICCID +------------PhoneNumber +------------CommercializationOperator +------------RoamingStatus +------------RoamingCompliance +----NetworkIdentifiers +--------MacAddress +------------IPAddressV4 +------------IPAddressV6 +------------IsConnected +------------Type +----Compliance +--------EncryptionCompliance +----TPM +--------SpecificationVersion +----OS +--------Edition +--------Mode +----Antivirus +--------SignatureStatus +--------Status +----Antispyware +--------SignatureStatus +--------Status +----Firewall +--------Status +----UAC +--------Status +----Battery +--------Status +--------EstimatedChargeRemaining +--------EstimatedRuntime +----DomainName +----DeviceGuard +--------VirtualizationBasedSecurityHwReq +--------VirtualizationBasedSecurityStatus +--------LsaCfgCredGuardStatus +``` **DeviceStatus** The root node for the DeviceStatus configuration service provider. diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md index ba02947ada..9bdd49666d 100644 --- a/windows/client-management/mdm/devinfo-csp.md +++ b/windows/client-management/mdm/devinfo-csp.md @@ -23,10 +23,16 @@ The DevInfo configuration service provider handles the managed object which prov For the DevInfo CSP, you cannot use the Replace command unless the node already exists. -The following diagram shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol is not supported by this configuration service provider. - -![devinfo csp (dm)](images/provisioning-csp-devinfo-dm.png) - +The following shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol is not supported by this configuration service provider. +``` +. +DevInfo +----DevId +----Man +----Mod +----DmV +----Lang +``` **DevId** Required. Returns an application-specific global unique device identifier by default. diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md index f3143ed222..e19d3350a5 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md @@ -16,7 +16,6 @@ ms.date: 09/16/2019 > [!div class="op_single_selector"] > -> - [IoT Enterprise](policy-csps-supported-by-iot-enterprise.md) > - [IoT Core](policy-csps-supported-by-iot-core.md) > diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-enterprise.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-enterprise.md deleted file mode 100644 index afb79c5bfe..0000000000 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-enterprise.md +++ /dev/null @@ -1,73 +0,0 @@ ---- -title: Policies in Policy CSP supported by Windows 10 IoT Enterprise -description: Policies in Policy CSP supported by Windows 10 IoT Enterprise -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.localizationpriority: medium -ms.date: 07/18/2019 ---- - -# Policies in Policy CSP supported by Windows 10 IoT Enterprise - -> [!div class="op_single_selector"] -> -> - [IoT Enterprise](policy-csps-supported-by-iot-enterprise.md) -> - [IoT Core](policy-csps-supported-by-iot-core.md) -> - -- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar) -- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) -- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview) -- [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync) -- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) -- [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete) -- [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage) -- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) -- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) -- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) -- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource) -- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) -- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) -- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) -- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground) -- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) -- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) -- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) -- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth) -- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) -- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) (deprecated) -- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) (deprecated) -- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) -- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) -- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) -- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) -- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) -- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) -- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) -- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) (deprecated) -- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) -- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) -- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) -- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) -- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring) -- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope) -- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination) -- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice) -- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock) -- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) -- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) -- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) -- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) -- [Update/SetProxyBehaviorForUpdateDetection](policy-csp-update.md#update-setproxybehaviorforupdatedetection) - -## Related topics - -[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index cdce904177..400db33800 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -8560,7 +8560,6 @@ The following diagram shows the Policy configuration service provider in tree fo - [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) ## Policies in Policy CSP supported by Windows 10 IoT -- [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md) - [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md) ## Policies in Policy CSP supported by Microsoft Surface Hub diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index f450ccfd61..9cd06e39f6 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -240,27 +240,27 @@ For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com 4. On the **Before You Begin** page, click **Next**. - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-1.png) + ![Screenshot of the Before You Begin tab](images/wip-applocker-secpol-wizard-1.png) 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-2.png) + ![Screenshot of the Permissions tab with "Allow" and "Everyone" selected](images/wip-applocker-secpol-wizard-2.png) 6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. - ![Create Packaged app Rules wizard, showing the Publisher](images/wip-applocker-secpol-wizard-3.png) + ![Screenshot of the "Use an installed package app as a reference" radio button selected and the Select button highlighted](images/wip-applocker-secpol-wizard-3.png) 7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Dynamics 365. - ![Create Packaged app Rules wizard, showing the Select applications page](images/wip-applocker-secpol-wizard-4.png) + ![Screenshot of the Select applications list](images/wip-applocker-secpol-wizard-4.png) 8. On the updated **Publisher** page, click **Create**. - ![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-secpol-wizard-5.png) + ![Screenshot of the Publisher tab](images/wip-applocker-secpol-wizard-5.png) 9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy. - ![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-default-rule-warning.png) + ![Screenshot of AppLocker warning](images/wip-applocker-default-rule-warning.png) 9. Review the Local Security Policy snap-in to make sure your rule is correct. @@ -318,11 +318,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps. 6. On the **Conditions** page, click **Path** and then click **Next**. - ![Create Packaged app Rules wizard, showing the Publisher](images/path-condition.png) + ![Screenshot with Path conditions selected in the Create Executable Rules wizard](images/path-condition.png) 7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, we’re using "C:\Program Files". - ![Create Packaged app Rules wizard, showing the Select applications page](images/select-path.png) + ![Screenshot of the Path field of the Create Executable Rules wizard](images/select-path.png) 8. On the **Exceptions** page, add any exceptions and then click **Next**.