deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into repo_sync_working_branch

Browse Source
This commit is contained in:
Gary Moore 2021-03-12 15:11:41 -08:00 committed by GitHub
commit df6e14f561
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
26 changed files with 574 additions and 178 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.openpublishing.redirection.json
View File

@ -16546,9 +16546,10 @@
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr",
"source_path": "windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-enterprise.md",
"redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference",
"redirect_document_id": false
}
},
]
}

19
windows/client-management/mdm/TOC.md
View File

@ -159,16 +159,15 @@
### [Personalization CSP](personalization-csp.md)
#### [Personalization DDF file](personalization-ddf.md)
### [Policy CSP](policy-configuration-service-provider.md)
#### [Policy CSP DDF file](policy-ddf-file.md)
#### [Policies in Policy CSP supported by Group Policy](policies-in-policy-csp-supported-by-group-policy.md)
#### [ADMX-backed policies in Policy CSP](policies-in-policy-csp-admx-backed.md)
#### [Policies in Policy CSP supported by HoloLens 2](policies-in-policy-csp-supported-by-hololens2.md)
#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md)
#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md)
#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policies-in-policy-csp-supported-by-iot-enterprise.md)
#### [Policies in Policy CSP supported by Windows 10 IoT Core](policies-in-policy-csp-supported-by-iot-core.md)
#### [Policies in Policy CSP supported by Microsoft Surface Hub](policies-in-policy-csp-supported-by-surface-hub.md)
#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policies-in-policy-csp-that-can-be-set-using-eas.md)
#### [Policy DDF file](policy-ddf-file.md)
#### [Policies in Policy CSP supported by Group Policy](policy-csps-supported-by-group-policy.md)
#### [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md)
#### [Policies in Policy CSP supported by HoloLens 2](policy-csps-supported-by-hololens2.md)
#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
#### [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md)
#### [Policies in Policy CSP supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md)
#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md)
#### [AboveLock](policy-csp-abovelock.md)
#### [Accounts](policy-csp-accounts.md)
#### [ActiveXControls](policy-csp-activexcontrols.md)

15
windows/client-management/mdm/accounts-csp.md
View File

@ -11,15 +11,24 @@ ms.reviewer:
manager: dansimp
---
# Accounts CSP
# Accounts Configuration Service Provider
The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803.
The following diagram shows the Accounts configuration service provider in tree format.
The following shows the Accounts configuration service provider in tree format.
![Accounts CSP diagram](images/provisioning-csp-accounts.png)
```
./Device/Vendor/MSFT
Accounts
----Domain
--------ComputerName
----Users
--------UserName
------------Password
------------LocalUserGroup
```
<a href="" id="accounts"></a>**./Device/Vendor/MSFT/Accounts**
Root node.

34
windows/client-management/mdm/activesync-csp.md
View File

@ -28,9 +28,39 @@ The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in th
The following diagram shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
The following shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
![activesync csp (cp)](images/provisioning-csp-activesync-cp.png)
```
./Vendor/MSFT
ActiveSync
----Accounts
--------Account GUID
------------EmailAddress
------------Domain
------------AccountIcon
------------AccountType
------------AccountName
------------Password
------------ServerName
------------UserName
------------Options
----------------CalendarAgeFilter
----------------Logging
----------------MailBodyType
----------------MailHTMLTruncation
----------------MailPlainTextTruncation
----------------Schedule
----------------UseSSL
----------------MailAgeFilter
----------------ContentTypes
--------------------Content Type GUID
------------------------Enabled
------------------------Name
------------Policies
----------------MailBodyType
----------------MaxMailAgeFilter
```
<a href="" id="--user-vendor-msft-activesync"></a>**./User/Vendor/MSFT/ActiveSync**
The root node for the ActiveSync configuration service provider.

32
windows/client-management/mdm/alljoynmanagement-csp.md
View File

@ -26,9 +26,37 @@ This CSP was added in Windows 10, version 1511.
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877).
The following diagram shows the AllJoynManagement configuration service provider in tree format
The following shows the AllJoynManagement configuration service provider in tree format
![alljoynmanagement csp diagram](images/provisioning-csp-alljoynmanagement.png)
```
./Vendor/MSFT
AllJoynManagement
----Configurations
--------ServiceID
------------Port
----------------PortNum
--------------------ConfigurableObjects
------------------------CfgObjectPath
----Credentials
--------ServiceID
------------Key
----Firewall
--------PublicProfile
--------PrivateProfile
----Services
--------ServiceID
------------AppId
------------DeviceId
------------AppName
------------Manufacturer
------------ModelNumber
------------Description
------------SoftwareVersion
------------AJSoftwareVersion
------------HardwareVersion
----Options
--------QueryIdleTime
```
The following list describes the characteristics and parameters.

35
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -1,6 +1,6 @@
---
title: ApplicationControl CSP
description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from a MDM server.
description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from an MDM server.
keywords: security, malware
ms.author: dansimp
ms.topic: article
@ -16,10 +16,33 @@ ms.date: 09/10/2020
Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot.
Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
The following diagram shows the ApplicationControl CSP in tree format.
![tree diagram for applicationcontrol csp](images/provisioning-csp-applicationcontrol.png)
The following shows the ApplicationControl CSP in tree format.
```
./Vendor/MSFT
ApplicationControl
----Policies
--------Policy GUID
------------Policy
------------PolicyInfo
----------------Version
----------------IsEffective
----------------IsDeployed
----------------IsAuthorized
----------------Status
----------------FriendlyName
------------Token
----------------TokenID
----Tokens
--------ID
------------Token
------------TokenInfo
----------------Status
------------PolicyIDs
----------------Policy GUID
----TenantID
----DeviceID
```
<a href="" id="vendor-msft-applicationcontrol"></a>**./Vendor/MSFT/ApplicationControl**
Defines the root node for the ApplicationControl CSP.
@ -125,7 +148,7 @@ In order to leverage the ApplicationControl CSP without using Intune, you must:
1. Know a generated policy's GUID, which can be found in the policy xml as `<PolicyID>` or `<PolicyTypeID>` for pre-1903 systems.
2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool.
3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command-line tool.
Below is a sample certutil invocation:
@ -141,7 +164,7 @@ An alternative to using certutil would be to use the following PowerShell invoca
### Deploy Policies
To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below.
To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the Format section in the Example 1 below.
To deploy base policy and supplemental policies:

52
windows/client-management/mdm/applocker-csp.md
View File

@ -17,10 +17,54 @@ ms.date: 11/19/2019
The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There is no user interface shown for apps that are blocked.
The following diagram shows the AppLocker configuration service provider in tree format.
![applocker csp](images/provisioning-csp-applocker.png)
The following shows the AppLocker configuration service provider in tree format.
```
./Vendor/MSFT
AppLocker
----ApplicationLaunchRestrictions
--------Grouping
------------EXE
----------------Policy
----------------EnforcementMode
----------------NonInteractiveProcessEnforcement
------------MSI
----------------Policy
----------------EnforcementMode
------------Script
----------------Policy
----------------EnforcementMode
------------StoreApps
----------------Policy
----------------EnforcementMode
------------DLL
----------------Policy
----------------EnforcementMode
----------------NonInteractiveProcessEnforcement
------------CodeIntegrity
----------------Policy
----EnterpriseDataProtection
--------Grouping
------------EXE
----------------Policy
------------StoreApps
----------------Policy
----LaunchControl
--------Grouping
------------EXE
----------------Policy
----------------EnforcementMode
------------StoreApps
----------------Policy
----------------EnforcementMode
----FamilySafety
--------Grouping
------------EXE
----------------Policy
----------------EnforcementMode
------------StoreApps
----------------Policy
----------------EnforcementMode
```
<a href="" id="--vendor-msft-applocker"></a>**./Vendor/MSFT/AppLocker**
Defines the root node for the AppLocker configuration service provider.

13
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -29,10 +29,17 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u
> [!Note]
> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
The following diagram shows the AssignedAccess configuration service provider in tree format
![assignedaccess csp diagram](images/provisioning-csp-assignedaccess.png)
The following shows the AssignedAccess configuration service provider in tree format
```
./Vendor/MSFT
AssignedAccess
----KioskModeApp
----Configuration (Added in Windows 10, version 1709)
----Status (Added in Windows 10, version 1803)
----ShellLauncher (Added in Windows 10, version 1803)
----StatusConfiguration (Added in Windows 10, version 1803)
```
<a href="" id="--vendor-msft-assignedaccess"></a>**./Device/Vendor/MSFT/AssignedAccess**
Root node for the CSP.

28
windows/client-management/mdm/bitlocker-csp.md
View File

@ -24,11 +24,29 @@ the setting configured by the admin.
For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
The following diagram shows the BitLocker configuration service provider in tree format.
![BitLocker csp](images/provisioning-csp-bitlocker.png)
The following shows the BitLocker configuration service provider in tree format.
```
./Device/Vendor/MSFT
BitLocker
----RequireStorageCardEncryption
----RequireDeviceEncryption
----EncryptionMethodByDriveType
----SystemDrivesRequireStartupAuthentication
----SystemDrivesMinimumPINLength
----SystemDrivesRecoveryMessage
----SystemDrivesRecoveryOptions
----FixedDrivesRecoveryOptions
----FixedDrivesRequireEncryption
----RemovableDrivesRequireEncryption
----AllowWarningForOtherDiskEncryption
----AllowStandardUserEncryption
----ConfigureRecoveryPasswordRotation
----RotateRecoveryPasswords
----Status
--------DeviceEncryptionStatus
--------RotateRecoveryPasswordsStatus
--------RotateRecoveryPasswordsRequestID
```
<a href="" id="--device-vendor-msft-bitlocker"></a>**./Device/Vendor/MSFT/BitLocker**
Defines the root node for the BitLocker configuration service provider.
<!--Policy-->

83
windows/client-management/mdm/certificatestore-csp.md
View File

@ -25,10 +25,87 @@ The CertificateStore configuration service provider is used to add secure socket
For the CertificateStore CSP, you cannot use the Replace command unless the node already exists.
The following diagram shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
![provisioning\-csp\-certificatestore](images/provisioning-csp-certificatestore.png)
The following shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
```
./Vendor/MSFT
CertificateStore
----ROOT
--------*
------------EncodedCertificate
------------IssuedBy
------------IssuedTo
------------ValidFrom
------------ValidTo
------------TemplateName
--------System
------------*
----------------EncodedCertificate
----------------IssuedBy
----------------IssuedTo
----------------ValidFrom
----------------ValidTo
----------------TemplateName
----MY
--------User
------------*
----------------EncodedCertificate
----------------IssuedBy
----------------IssuedTo
----------------ValidFrom
----------------ValidTo
----------------TemplateName
--------SCEP
------------*
----------------Install
--------------------ServerURL
--------------------Challenge
--------------------EKUMapping
--------------------KeyUsage
--------------------SubjectName
--------------------KeyProtection
--------------------RetryDelay
--------------------RetryCount
--------------------TemplateName
--------------------KeyLength
--------------------HashAlgrithm
--------------------CAThumbPrint
--------------------SubjectAlternativeNames
--------------------ValidPeriod
--------------------ValidPeriodUnit
--------------------Enroll
----------------CertThumbPrint
----------------Status
----------------ErrorCode
--------WSTEP
------------CertThumprint
------------Renew
----------------RenewPeriod
----------------ServerURL
----------------RetryInterval
----------------ROBOSupport
----------------Status
----------------ErrorCode
----------------LastRenewalAttemptTime (Added in Windows 10, version 1607)
----------------RenewNow (Added in Windows 10, version 1607)
----------------RetryAfterExpiryInterval (Added in Windows 10, version 1703)
----CA
--------*
------------EncodedCertificate
------------IssuedBy
------------IssuedTo
------------ValidFrom
------------ValidTo
------------TemplateName
--------System
------------*
----------------EncodedCertificate
----------------IssuedBy
----------------IssuedTo
----------------ValidFrom
----------------ValidTo
----------------TemplateName
```
<a href="" id="root-system"></a>**Root/System**
Defines the certificate store that contains root, or self-signed, certificates.

11
windows/client-management/mdm/cleanpc-csp.md
View File

@ -15,10 +15,13 @@ manager: dansimp
The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703.
The following diagram shows the CleanPC configuration service provider in tree format.
![CleanPC csp diagram](images/provisioning-csp-cleanpc.png)
The following shows the CleanPC configuration service provider in tree format.
```
./Device/Vendor/MSFT
CleanPC
----CleanPCWithoutRetainingUserData
----CleanPCRetainingUserData
```
<a href="" id="--device-vendor-msft-cleanpc"></a>**./Device/Vendor/MSFT/CleanPC**
<p style="margin-left: 20px">The root node for the CleanPC configuration service provider.</p>

46
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -23,10 +23,48 @@ For PFX certificate installation and SCEP installation, the SyncML commands must
You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
The following image shows the ClientCertificateInstall configuration service provider in tree format.
![clientcertificateinstall csp](images/provisioning-csp-clientcertificateinstall.png)
The following shows the ClientCertificateInstall configuration service provider in tree format.
```
./Vendor/MSFT
ClientCertificateInstall
----PFXCertInstall
--------UniqueID
------------KeyLocation
------------ContainerName
------------PFXCertBlob
------------PFXCertPassword
------------PFXCertPasswordEncryptionType
------------PFXKeyExportable
------------Thumbprint
------------Status
------------PFXCertPasswordEncryptionStore (Added in Windows 10, version 1511)
----SCEP
--------UniqueID
------------Install
----------------ServerURL
----------------Challenge
----------------EKUMapping
----------------KeyUsage
----------------SubjectName
----------------KeyProtection
----------------RetryDelay
----------------RetryCount
----------------TemplateName
----------------KeyLength
----------------HashAlgorithm
----------------CAThumbprint
----------------SubjectAlternativeNames
----------------ValidPeriod
----------------ValidPeriodUnits
----------------ContainerName
----------------CustomTextToShowInPrompt
----------------Enroll
----------------AADKeyIdentifierList (Added in Windows 10, version 1703)
------------CertThumbprint
------------Status
------------ErrorCode
------------RespondentServerUrl
```
<a href="" id="device-or-user"></a>**Device or User**
For device certificates, use <strong>./Device/Vendor/MSFT</strong> path and for user certificates use <strong>./User/Vendor/MSFT</strong> path.

35
windows/client-management/mdm/cm-proxyentries-csp.md
View File

@ -25,10 +25,41 @@ The CM\_ProxyEntries configuration service provider is used to configure proxy c
The following diagram shows the CM\_ProxyEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP) and OMA Device Management(OMA DM). Support for OMA DM was added in Windows 10, version 1607.
The following shows the CM\_ProxyEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP) and OMA Device Management(OMA DM). Support for OMA DM was added in Windows 10, version 1607.
![cm\-proxyentries csp (cp)](images/provisioning-csp-cm-proxyentries-cp.png)
```
./Vendor/MSFT
CM_ProxyEntries
----Entry
--------ConnectionName
--------BypassLocal
--------Enable
--------Exception
--------Password
--------Port
--------Server
--------Type
--------Username
./Device/Vendor/MSFT
Root
./Vendor/MSFT
./Device/Vendor/MSFT
CM_ProxyEntries
----Entry
--------ConnectionName
--------BypassLocal
--------Enable
--------Exception
--------Password
--------Port
--------Server
--------Type
--------Username
```
<a href="" id="entryname"></a>**entryname**
Defines the name of the connection proxy.

27
windows/client-management/mdm/cmpolicy-csp.md
View File

@ -28,10 +28,21 @@ Each policy entry identifies one or more applications in combination with a host
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phones default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
The following diagram shows the CMPolicy configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
![cmpolicy csp (dm,cp)](images/provisioning-csp-cmpolicy.png)
The following shows the CMPolicy configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
```
./Vendor/MSFT
CMPolicy
----PolicyName
--------SID
--------ClientType
--------Host
--------OrderedConnections
--------Connections
------------ConnXXX
----------------ConnectionID
----------------Type
```
<a href="" id="policyname"></a>***policyName***
Defines the name of the policy.
@ -64,7 +75,7 @@ Specifies whether the list of connections is in preference order.
A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
<a href="" id="connxxx"></a>**Conn**<strong>*XXX*</strong>
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits, which increment starting from "000". For example, a policy, which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
<a href="" id="connectionid"></a>**ConnectionID**
Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter.
@ -173,11 +184,11 @@ For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network typ
<td><p>{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet 10Mbps</p></td>
<td><p>Ethernet 10 Mbps</p></td>
<td><p>{97D3D1B3-854A-4C32-BD1C-C13069078370}</p></td>
</tr>
<tr class="odd">
<td><p>Ethernet 100Mbps</p></td>
<td><p>Ethernet 100 Mbps</p></td>
<td><p>{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}</p></td>
</tr>
<tr class="even">
@ -486,14 +497,14 @@ Adding a host-based mapping policy:
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>nocharacteristic</p></td>
<td><p>uncharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top level query: Yes</p></td>
<p>Top-level query: Yes</p></td>
</tr>
</tbody>
</table>

18
windows/client-management/mdm/cmpolicyenterprise-csp.md
View File

@ -28,10 +28,20 @@ Each policy entry identifies one or more applications in combination with a host
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phones default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
The following diagram shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
![cmpolicy csp (dm,cp)](images/provisioning-csp-cmpolicyenterprise.png)
The following shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
```
./Vendor/MSFT
CMPolicy
----PolicyName
--------SID
--------ClientType
--------Host
--------OrderedConnections
--------Connections
------------ConnXXX
----------------ConnectionID
----------------Type
```
<a href="" id="policyname"></a>***policyName***
Defines the name of the policy.

12
windows/client-management/mdm/customdeviceui-csp.md
View File

@ -15,12 +15,16 @@ ms.date: 06/26/2017
# CustomDeviceUI CSP
The CustomDeviceUI configuration service provider allows OEMs to implement their custom foreground application, as well as the background tasks to run on an IoT device running IoT Core. Only one foreground application is supported per device. Multiple background tasks are supported.
The following diagram shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
The following shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
> **Note**  This configuration service provider only applies to Windows 10 IoT Core (IoT Core).
![customdeviceui csp](images/provisioning-csp-customdeviceui.png)
```
./Vendor/MSFT
CustomDeviceUI
----StartupAppID
----BackgroundTasksToLaunch
--------BackgroundTaskPackageName
```
<a href="" id="./Vendor/MSFT/CustomDeviceUI"></a>**./Vendor/MSFT/CustomDeviceUI**
The root node for the CustomDeviceUI configuration service provider. The supported operation is Get.

47
windows/client-management/mdm/defender-csp.md
View File

@ -20,10 +20,49 @@ ms.date: 08/11/2020
The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
The following image shows the Windows Defender configuration service provider in tree format.
![defender csp diagram](images/provisioning-csp-defender.png)
The following shows the Windows Defender configuration service provider in tree format.
```
./Vendor/MSFT
Defender
----Detections
--------ThreatId
------------Name
------------URL
------------Severity
------------Category
------------CurrentStatus
------------ExecutionStatus
------------InitialDetectionTime
------------LastThreatStatusChangeTime
------------NumberOfDetections
----Health
--------ProductStatus (Added in Windows 10 version 1809)
--------ComputerState
--------DefenderEnabled
--------RtpEnabled
--------NisEnabled
--------QuickScanOverdue
--------FullScanOverdue
--------SignatureOutOfDate
--------RebootRequired
--------FullScanRequired
--------EngineVersion
--------SignatureVersion
--------DefenderVersion
--------QuickScanTime
--------FullScanTime
--------QuickScanSigVersion
--------FullScanSigVersion
--------TamperProtectionEnabled (Added in Windows 10, version 1903)
--------IsVirtualMachine (Added in Windows 10, version 1903)
----Configuration (Added in Windows 10, version 1903)
--------TamperProetection (Added in Windows 10, version 1903)
--------EnableFileHashcomputation (Added in Windows 10, version 1903)
--------SupportLogLocation (Added in the next major release of Windows 10)
----Scan
----UpdateSignature
----OfflineScan (Added in Windows 10 version 1803)
```
<a href="" id="detections"></a>**Detections**
An interior node to group all threats detected by Windows Defender.

41
windows/client-management/mdm/devdetail-csp.md
View File

@ -21,10 +21,43 @@ The DevDetail configuration service provider handles the management object which
For the DevDetail CSP, you cannot use the Replace command unless the node already exists.
The following diagram shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol is not supported for this configuration service provider.
![devdetail csp (dm)](images/provisioning-csp-devdetail-dm.png)
The following shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol is not supported for this configuration service provider.
```
.
DevDetail
----URI
--------MaxDepth
--------MaxTotLen
--------MaxSegLen
----DevTyp
----OEM
----FwV
----SwV
----HwV
----LrgObj
----Ext
--------Microsoft
------------MobileID
------------RadioSwV
------------Resolution
------------CommercializationOperator
------------ProcessorArchitecture
------------ProcessorType
------------OSPlatform
------------LocalTime
------------DeviceName
------------DNSComputerName (Added in Windows 10, version 2004)
------------TotalStorage
------------TotalRAM
------------SMBIOSSerialNumber (Added in Windows 10, version 1809)
--------WLANMACAddress
--------VoLTEServiceSetting
--------WlanIPv4Address
--------WlanIPv6Address
--------WlanDnsSuffix
--------WlanSubnetMask
--------DeviceHardwareData (Added in Windows 10, version 1703)
```
<a href="" id="devtyp"></a>**DevTyp**
Required. Returns the device model name /SystemProductName as a string.

19
windows/client-management/mdm/developersetup-csp.md
View File

@ -19,10 +19,21 @@ The DeveloperSetup configuration service provider (CSP) is used to configure Dev
> [!NOTE]
> The DeveloperSetup configuration service provider (CSP) is only supported in Windows 10 Holographic Enterprise edition and with runtime provisioning via provisioning packages. It is not supported in MDM.
The following diagram shows the DeveloperSetup configuration service provider in tree format.
![developersetup csp diagram](images/provisioning-csp-developersetup.png)
The following shows the DeveloperSetup configuration service provider in tree format.
```
./Device/Vendor/MSFT
DeveloperSetup
----EnableDeveloperMode
----DevicePortal
--------Authentication
------------Mode
------------BasicAuth
----------------Username
----------------Password
--------Connection
------------HttpPort
------------HttpsPort
```
<a href="" id="developersetup"></a>**DeveloperSetup**
<p style="margin-left: 20px">The root node for the DeveloperSetup configuration service provider.

21
windows/client-management/mdm/devicemanageability-csp.md
View File

@ -1,6 +1,6 @@
---
title: DeviceManageability CSP
description: The DeviceManageability configuration service provider (CSP) is used retrieve general information about MDM configuration capabilities on the device.
description: The DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device.
ms.assetid: FE563221-D5B5-4EFD-9B60-44FE4066B0D2
ms.reviewer:
manager: dansimp
@ -15,14 +15,21 @@ ms.date: 11/01/2017
# DeviceManageability CSP
The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
The DeviceManageability configuration service provider (CSP) is used to retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
For performance reasons DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information.
The following diagram shows the DeviceManageability configuration service provider in a tree format.
![devicemanageability csp diagram](images/provisioning-csp-devicemanageability.png)
For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information.
The following shows the DeviceManageability configuration service provider in a tree format.
```
./Device/Vendor/MSFT
DeviceManageability
----Capabilities
--------CSPVersions
----Provider (Added in Windows 10, version 1709)
--------ProviderID (Added in Windows 10, version 1709)
------------ConfigInfo (Added in Windows 10, version 1709)
------------EnrollmentInfo (Added in Windows 10, version 1709)
```
<a href="" id="--device-vendor-msft-devicemanageability"></a>**./Device/Vendor/MSFT/DeviceManageability**
Root node to group information about runtime MDM configuration capability on the target device.

50
windows/client-management/mdm/devicestatus-csp.md
View File

@ -17,10 +17,52 @@ ms.date: 04/30/2019
The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
The following image shows the DeviceStatus configuration service provider in tree format.
![devicestatus csp](images/provisioning-csp-devicestatus.png)
The following shows the DeviceStatus configuration service provider in tree format.
```
./Vendor/MSFT
DeviceStatus
----SecureBootState
----CellularIdentities
--------IMEI
------------IMSI
------------ICCID
------------PhoneNumber
------------CommercializationOperator
------------RoamingStatus
------------RoamingCompliance
----NetworkIdentifiers
--------MacAddress
------------IPAddressV4
------------IPAddressV6
------------IsConnected
------------Type
----Compliance
--------EncryptionCompliance
----TPM
--------SpecificationVersion
----OS
--------Edition
--------Mode
----Antivirus
--------SignatureStatus
--------Status
----Antispyware
--------SignatureStatus
--------Status
----Firewall
--------Status
----UAC
--------Status
----Battery
--------Status
--------EstimatedChargeRemaining
--------EstimatedRuntime
----DomainName
----DeviceGuard
--------VirtualizationBasedSecurityHwReq
--------VirtualizationBasedSecurityStatus
--------LsaCfgCredGuardStatus
```
<a href="" id="devicestatus"></a>**DeviceStatus**
The root node for the DeviceStatus configuration service provider.

14
windows/client-management/mdm/devinfo-csp.md
View File

@ -23,10 +23,16 @@ The DevInfo configuration service provider handles the managed object which prov
For the DevInfo CSP, you cannot use the Replace command unless the node already exists.
The following diagram shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol is not supported by this configuration service provider.
![devinfo csp (dm)](images/provisioning-csp-devinfo-dm.png)
The following shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol is not supported by this configuration service provider.
```
.
DevInfo
----DevId
----Man
----Mod
----DmV
----Lang
```
<a href="" id="devid"></a>**DevId**
Required. Returns an application-specific global unique device identifier by default.

1
windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md
View File

@ -16,7 +16,6 @@ ms.date: 09/16/2019
> [!div class="op_single_selector"]
>
> - [IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
> - [IoT Core](policy-csps-supported-by-iot-core.md)
>

73
windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-enterprise.md
View File

@ -1,73 +0,0 @@
---
title: Policies in Policy CSP supported by Windows 10 IoT Enterprise
description: Policies in Policy CSP supported by Windows 10 IoT Enterprise
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 07/18/2019
---
# Policies in Policy CSP supported by Windows 10 IoT Enterprise
> [!div class="op_single_selector"]
>
> - [IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
> - [IoT Core](policy-csps-supported-by-iot-core.md)
>
- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
- [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
- [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
- [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource)
- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp)
- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource)
- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) (deprecated)
- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) (deprecated)
- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload)
- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache)
- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer)
- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) (deprecated)
- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth)
- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby)
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot)
- [Update/SetProxyBehaviorForUpdateDetection](policy-csp-update.md#update-setproxybehaviorforupdatedetection)
## Related topics
[Policy CSP](policy-configuration-service-provider.md)

1
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -8560,7 +8560,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
## Policies in Policy CSP supported by Windows 10 IoT
- [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
- [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md)
## Policies in Policy CSP supported by Microsoft Surface Hub

16
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -240,27 +240,27 @@ For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com
4. On the **Before You Begin** page, click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-1.png)
![Screenshot of the Before You Begin tab](images/wip-applocker-secpol-wizard-1.png)
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-2.png)
![Screenshot of the Permissions tab with "Allow" and "Everyone" selected](images/wip-applocker-secpol-wizard-2.png)
6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
![Create Packaged app Rules wizard, showing the Publisher](images/wip-applocker-secpol-wizard-3.png)
![Screenshot of the "Use an installed package app as a reference" radio button selected and the Select button highlighted](images/wip-applocker-secpol-wizard-3.png)
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, were using Microsoft Dynamics 365.
![Create Packaged app Rules wizard, showing the Select applications page](images/wip-applocker-secpol-wizard-4.png)
![Screenshot of the Select applications list](images/wip-applocker-secpol-wizard-4.png)
8. On the updated **Publisher** page, click **Create**.
![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-secpol-wizard-5.png)
![Screenshot of the Publisher tab](images/wip-applocker-secpol-wizard-5.png)
9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy.
![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-default-rule-warning.png)
![Screenshot of AppLocker warning](images/wip-applocker-default-rule-warning.png)
9. Review the Local Security Policy snap-in to make sure your rule is correct.
@ -318,11 +318,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
6. On the **Conditions** page, click **Path** and then click **Next**.
![Create Packaged app Rules wizard, showing the Publisher](images/path-condition.png)
![Screenshot with Path conditions selected in the Create Executable Rules wizard](images/path-condition.png)
7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, were using "C:\Program Files".
![Create Packaged app Rules wizard, showing the Select applications page](images/select-path.png)
![Screenshot of the Path field of the Create Executable Rules wizard](images/select-path.png)
8. On the **Exceptions** page, add any exceptions and then click **Next**.