deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Acrolinx

Browse Source
This commit is contained in:
Siddarth Mandalika 2022-02-24 17:42:44 +05:30
parent b43f2b5b90
commit dfd10d661c
17 changed files with 209 additions and 209 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -16,14 +16,14 @@ ms.date: 07/30/2021
The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request.
For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution isn't triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
> [!Note]
> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
The following shows the ClientCertificateInstall configuration service provider in tree format.
The following example shows the ClientCertificateInstall configuration service provider in tree format.
```
./Vendor/MSFT
ClientCertificateInstall
@ -100,14 +100,14 @@ The data type is an integer corresponding to one of the following values:
| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified |
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node isn't specified when Windows Hello for Business KSP is chosen, enrollment will fail.
Date type is string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertblob"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**
CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation.
CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This Add operation requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before the Add operation is called. This trigger for addition also sets the Status node to the current Status of the operation.
The data type format is binary.
@ -115,7 +115,7 @@ Supported operations are Get, Add, and Replace.
If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten.
If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail.
If Add is called on this node for a new PFX, the certificate will be added. When a certificate doesn't exist, Replace operation on this node will fail.
In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in <a href="/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)" data-raw-source="[CRYPT\_INTEGER\_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85))">CRYPT_INTEGER_BLOB</a>.
@ -131,7 +131,7 @@ Optional. Used to specify whether the PFX certificate password is encrypted with
The data type is int. Valid values:
- 0 - Password is not encrypted.
- 0 - Password isn't encrypted.
- 1 - Password is encrypted with the MDM certificate.
- 2 - Password is encrypted with custom certificate.
@ -140,7 +140,7 @@ When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCer
Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxkeyexportable"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM.
Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX isn't exportable when it's installed to TPM.
> [!Note]
> You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
@ -185,7 +185,7 @@ A node required for SCEP certificate enrollment. Parent node to group SCEP cert
Supported operations are Get, Add, Replace, and Delete.
> [!Note]
> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values.
> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and ensure the device isn't at an unknown state before changing child node values.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-serverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**
Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
@ -213,7 +213,7 @@ Required. Specifies the subject name.
The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;”).
For more details, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
Data type is string.
@ -223,7 +223,7 @@ Supported operations are Add, Get, and Replace.
Optional. Specifies where to keep the private key.
> [!Note]
> Even if the private key is protected by TPM, it is not protected with a TPM PIN.
> Even if the private key is protected by TPM, it isn't protected with a TPM PIN.
The data type is an integer corresponding to one of the following values:
@ -298,14 +298,14 @@ Data type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-cathumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**
Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail.
Required. Specifies Root CA thumbprint. This thumbprint is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it isn't a match, the authentication will fail.
Data type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectalternativenames"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information.
Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. For more information, see the name type definitions in MSDN.
Each pair is separated by semicolon. For example, multiple SANs are presented in the format of <em>[name format1]</em>+<em>[actual name1]</em>;<em>[name format 2]</em>+<em>[actual name2]</em>.
@ -330,7 +330,7 @@ Valid values are:
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiodunits"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
Optional. Specifies the desired number of units used in the validity period. This number is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) is defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
Data type is string.
@ -340,7 +340,7 @@ Data type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-containername"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail.
Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node isn't specified when Windows Hello for Business KSP is chosen, the enrollment will fail.
Data type is string.
@ -354,7 +354,7 @@ Data type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-enroll"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**
Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.
Required. Triggers the device to start the certificate enrollment. The device won't notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.
The date type format is Null, meaning this node doesnt contain a value.
@ -368,9 +368,9 @@ Data type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-certthumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint**
Optional. Specifies the current certificates thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
Optional. Specifies the current certificates thumbprint if certificate enrollment succeeds. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string.
If the certificate on the device becomes invalid (Cert expired, Cert chain isn't valid, private key deleted) then it will return an empty string.
Data type is string.

24
windows/client-management/mdm/cm-cellularentries-csp.md
View File

@ -18,7 +18,7 @@ The CM\_CellularEntries configuration service provider is used to configure the
This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application.
The following shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
The following example shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol isn't supported with this configuration service provider.
```console
CM_CellularEntries
@ -56,9 +56,9 @@ CM_CellularEntries
<a href="" id="alwayson"></a>**AlwaysOn**
<p>Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available.
<p>A value of &quot;0&quot; specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS.
<p>A value of &quot;0&quot; specifies that AlwaysOn isn't supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS.
<p>A value of &quot;1&quot; specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs.
<p>A value of &quot;1&quot; specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it's available. This setting is recommended for general purpose Internet APNs.
<p>There must be at least one AlwaysOn Internet connection provisioned for the mobile operator.
@ -112,7 +112,7 @@ CM_CellularEntries
<p> A value of &quot;0&quot; specifies that the connection can be used for any general Internet communications. A value of &quot;1&quot; specifies that the connection is only used if a mapping policy is present.
<p> For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to &quot;1&quot; and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic.
<p> For example, if the multimedia messaging service (MMS) APN shouldn't have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to &quot;1&quot; and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic.
<a href="" id="version"></a>**Version**
<p> Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager&#39;s configuration service provider.
@ -133,13 +133,13 @@ CM_CellularEntries
- 5 - Roaming only.
<a href="" id="oemconnectionid"></a>**OEMConnectionID**
<p> Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value is not specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
<p> Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
<a href="" id="apnid"></a>**ApnId**
<p> Optional. Type: Int. Specifies the purpose of the APN. If a value is not specified, the default value is &quot;0&quot; (none). This parameter is only used on LTE devices.
<p> Optional. Type: Int. Specifies the purpose of the APN. If a value isn't specified, the default value is &quot;0&quot; (none). This parameter is only used on LTE devices.
<a href="" id="iptype"></a>**IPType**
<p> Optional. Type: String. Specifies the network protocol of the connection. Available values are &quot;IPv4&quot;, &quot;IPv6&quot;, &quot;IPv4v6&quot;, and &quot;IPv4v6xlat&quot;. If a value is not specified, the default value is &quot;IPv4&quot;.
<p> Optional. Type: String. Specifies the network protocol of the connection. Available values are &quot;IPv4&quot;, &quot;IPv6&quot;, &quot;IPv4v6&quot;, and &quot;IPv4v6xlat&quot;. If a value isn't specified, the default value is &quot;IPv4&quot;.
> [!WARNING]
> Do not use IPv6 or IPv4v6xlat on a device or network that does not support IPv6. Data functionality will not work. In addition, the device will not be able to connect to a roaming network that does not support IPv6 unless you configure roaming connections with an IPType of IPv4v6.
@ -147,9 +147,9 @@ CM_CellularEntries
<a href="" id="exemptfromdisablepolicy"></a>**ExemptFromDisablePolicy**
<p> Added back in Windows 10, version 1511. Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of &quot;0&quot; specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of &quot;1&quot; specifies that the connection is exempt. If a value is not specified, the default value is &quot;0&quot; (not exempt).
<p> Added back in Windows 10, version 1511. Optional. Type: Int. This value should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of &quot;0&quot; specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of &quot;1&quot; specifies that the connection is exempt. If a value isn't specified, the default value is &quot;0&quot; (not exempt).
<p> To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to &quot;1&quot;. This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed.
<p> To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to &quot;1&quot;. These settings indicates that the connection is a dedicated MMS connection and that it shouldn't be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Sending MMS while roaming is still not allowed.
> [!IMPORTANT]
> Do not set ExemptFromDisablePolicy to "1", ExemptFromRoaming to "1", or UseRequiresMappingsPolicy to "1" for general purpose connections.
@ -162,16 +162,16 @@ CM_CellularEntries
<a href="" id="exemptfromroaming"></a>**ExemptFromRoaming**
<p> Added back in Windows 10, version 1511. Optional. Type: Int. This should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of &quot;0&quot; specifies that the connection is subject to the roaming policy (not exempt). A value of &quot;1&quot; specifies that the connection is exempt (unaffected by the roaming policy). If a value is not specified, the default value is &quot;0&quot; (not exempt).
<p> Added back in Windows 10, version 1511. Optional. Type: Int. This value should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of &quot;0&quot; specifies that the connection is subject to the roaming policy (not exempt). A value of &quot;1&quot; specifies that the connection is exempt (unaffected by the roaming policy). If a value isn't specified, the default value is &quot;0&quot; (not exempt).
<a href="" id="tetheringnai"></a>**TetheringNAI**
<p> Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of &quot;0&quot; specifies that the connection is not a tethering connection. A value of &quot;1&quot; specifies that the connection is a tethering connection. If a value is not specified, the default value is &quot;0&quot;.
<p> Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of &quot;0&quot; specifies that the connection isn't a tethering connection. A value of &quot;1&quot; specifies that the connection is a tethering connection. If a value isn't specified, the default value is &quot;0&quot;.
<a href="" id="idledisconnecttimeout"></a>**IdleDisconnectTimeout**
<p> Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds.
> [!IMPORTANT]
> <p> You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used.
> <p> You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it isn't specified, the default value of 30 seconds may be used.
> [!NOTE]

6
windows/client-management/mdm/cmpolicy-csp.md
View File

@ -23,7 +23,7 @@ The CMPolicy configuration service provider defines rules that the Connection Ma
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicy configuration service provider can have multiple policies
**Policy Ordering**: There is no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
**Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phones default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
@ -67,12 +67,12 @@ The following list describes the available mapping policy types:
<a href="" id="host"></a>**Host**
Specifies the name of a host pattern. The host name is matched to the connection request to select the right policy to use.
The host pattern can have two wild cards, "\*" and "+". The host pattern is not a URL pattern and there is no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com".
The host pattern can have two wild cards, "\*" and "+". The host pattern isn't a URL pattern and there's no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com".
<a href="" id="orderedconnections"></a>**OrderedConnections**
Specifies whether the list of connections is in preference order.
A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
A value of "0" specifies that the connections aren't listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
<a href="" id="connxxx"></a>**Conn**<strong>*XXX*</strong>
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits, which increment starting from "000". For example, a policy, which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".

8
windows/client-management/mdm/cmpolicyenterprise-csp.md
View File

@ -24,7 +24,7 @@ The CMPolicyEnterprise configuration service provider is used by the enterprise
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies
**Policy Ordering**: There is no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
**Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phones default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
@ -67,15 +67,15 @@ The following list describes the available mapping policy types:
<a href="" id="host"></a>**Host**
Specifies the name of a host pattern. The host name is matched to the connection request to select the right policy to use.
The host pattern can have two wild cards, "\*" and "+". The host pattern is not a URL pattern and there is no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com".
The host pattern can have two wild cards, "\*" and "+". The host pattern isn't a URL pattern and there's no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com".
<a href="" id="orderedconnections"></a>**OrderedConnections**
Specifies whether the list of connections is in preference order.
A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
A value of "0" specifies that the connections aren't listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
<a href="" id="connxxx"></a>**Conn**<strong>*XXX*</strong>
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits that increment starting from "000". For example, a policy applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
<a href="" id="connectionid"></a>**ConnectionID**
Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter.

6
windows/client-management/mdm/customdeviceui-csp.md
View File

@ -14,8 +14,8 @@ ms.date: 06/26/2017
# CustomDeviceUI CSP
The CustomDeviceUI configuration service provider allows OEMs to implement their custom foreground application, as well as the background tasks to run on an IoT device running IoT Core. Only one foreground application is supported per device. Multiple background tasks are supported.
The following shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
The CustomDeviceUI configuration service provider allows OEMs to implement their custom foreground application, and the background tasks to run on an IoT device running IoT Core. Only one foreground application is supported per device. Multiple background tasks are supported.
The following example shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
> [!NOTE]
> This configuration service provider only applies to Windows 10 IoT Core (IoT Core).
@ -38,7 +38,7 @@ AppID string value is the default appid/AUMID to launch during startup. The supp
List of package names of background tasks that need to be launched on device startup. The supported operation is Get.
<a href="" id="BackgroundTasksToLaunch/BackgroundTaskPackageName"></a>**BackgroundTasksToLaunch/**<strong>*BackgroundTaskPackageName*</strong>
Package Full Name of the App that needs be launched in the background. This can contain no entry points, a single entry point, or multiple entry points. The supported operations are Add, Delete, Get, and Replace.
Package Full Name of the application that needs to be launched in the background. This application can contain no entry points, a single entry point, or multiple entry points. The supported operations are Add, Delete, Get, and Replace.
## SyncML examples

62
windows/client-management/mdm/defender-csp.md
View File

@ -20,7 +20,7 @@ ms.date: 02/22/2022
The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
The following shows the Windows Defender configuration service provider in tree format.
The following example shows the Windows Defender configuration service provider in tree format.
```
./Vendor/MSFT
Defender
@ -97,7 +97,7 @@ The data type is a string.
Supported operation is Get.
<a href="" id="detections-threatid-url"></a>**Detections/*ThreatId*/URL**
URL link for additional threat information.
URL link for more threat information.
The data type is a string.
@ -255,9 +255,9 @@ Supported operation is Get.
The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources.
The acceptable values for this parameter are:
- 0: Disabled. The Network Protection service will not block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections.
- 0: Disabled. The Network Protection service won't block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections.
- 1: Enabled. The Network Protection service will block connections to malicious websites based on URL Reputation from the SmartScreen URL reputation service.
- 2: AuditMode. As above, but the Network Protection service will not block connections to malicious websites, but will instead log the access to the event log.
- 2: AuditMode. As above, but the Network Protection service won't block connections to malicious websites, but will instead log the access to the event log.
Accepted values: Disabled, Enabled, and AuditMode
Position: Named
@ -267,7 +267,7 @@ Accept wildcard characters: False
<a href="" id="enablenetworkprotection-allownetworkprotectiondownlevel"></a>**EnableNetworkProtection/AllowNetworkProtectionDownLevel**
By default, network protection is not allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
By default, network protection isn't allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
- Type: Boolean
- Position: Named
- Default value: False
@ -276,7 +276,7 @@ By default, network protection is not allowed to be enabled on Windows versions
<a href="" id="enablenetworkprotection-allownetworkprotectiononwinserver"></a>**EnableNetworkProtection/AllowNetworkProtectionOnWinServer**
By default, network protection is not allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
By default, network protection isn't allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
- Type: Boolean
- Position: Named
@ -306,7 +306,7 @@ Network Protection inspects UDP connections allowing us to find malicious DNS or
<a href="" id="enablenetworkprotection-disableinboundconnectionfiltering"></a>**EnableNetworkProtection/DisableInboundConnectionFiltering**
Network Protection inspects and can block both connections that originate from the host machine, as well as those that originates from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true".
Network Protection inspects and can block both connections that originate from the host machine, and those connections that originate from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true".
- Type: Boolean
- Position: Named
@ -316,7 +316,7 @@ Network Protection inspects and can block both connections that originate from t
<a href="" id="enablenetworkprotection-enablednssinkhole"></a>**EnableNetworkProtection/EnableDnsSinkhole**
Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts and other DNS based malicious attacks. Set this configuration to "$true" to enable this feature.
Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts and other DNS-based malicious attacks. Set this configuration to "$true" to enable this feature.
- Type: Boolean
- Position: Named
@ -326,7 +326,7 @@ Network Protection can inspect the DNS traffic of a machine and, in conjunction
<a href="" id="enablenetworkprotection-disablednsovertcpparsing"></a>**EnableNetworkProtection/DisableDnsOverTcpParsing**
Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This attribute can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@ -336,7 +336,7 @@ Network Protection inspects DNS traffic that occurs over a TCP channel, to provi
<a href="" id="enablenetworkprotection-disablednsparsing"></a>**EnableNetworkProtection/DisableDnsParsing**
Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This attribute can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@ -390,7 +390,7 @@ An interior node to group information about Windows Defender health status.
Supported operation is Get.
<a href="" id="health-productstatus"></a>**Health/ProductStatus**
Added in Windows 10, version 1809. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list.
Added in Windows 10, version 1809. Provide the current state of the product. This value is a bitmask flag value that can represent one or multiple product states from below list.
The data type is integer. Supported operation is Get.
@ -480,7 +480,7 @@ Supported operation is Get.
<a href="" id="health-quickscanoverdue"></a>**Health/QuickScanOverdue**
Indicates whether a Windows Defender quick scan is overdue for the device.
A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](./policy-csp-defender.md#defender-disablecatchupquickscan) are disabled (default).
A Quick scan is overdue when a scheduled Quick scan didn't complete successfully for 2 weeks and [catchup Quick scans](./policy-csp-defender.md#defender-disablecatchupquickscan) are disabled (default).
The data type is a Boolean.
@ -489,7 +489,7 @@ Supported operation is Get.
<a href="" id="health-fullscanoverdue"></a>**Health/FullScanOverdue**
Indicates whether a Windows Defender full scan is overdue for the device.
A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](./policy-csp-defender.md#defender-disablecatchupfullscan) are disabled (default).
A Full scan is overdue when a scheduled Full scan didn't complete successfully for 2 weeks and [catchup Full scans](./policy-csp-defender.md#defender-disablecatchupfullscan) are disabled (default).
The data type is a Boolean.
@ -585,30 +585,30 @@ An interior node to group Windows Defender configuration information.
Supported operation is Get.
<a href="" id="configuration-tamperprotection"></a>**Configuration/TamperProtection**
Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions.
Tamper protection helps protect important security features from unwanted changes and interference. This protection includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions.
Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune.
Send off blob to device to reset the tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune.
The data type is a Signed blob.
Supported operations are Add, Delete, Get, Replace.
Intune tamper protection setting UX supports three states:
- Not configured (default): Does not have any impact on the default state of the device.
- Not configured (default): Doesn't have any impact on the default state of the device.
- Enabled: Enables the tamper protection feature.
- Disabled: Turns off the tamper protection feature.
When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
<a href="" id="configuration-disablelocaladminmerge"></a>**Configuration/DisableLocalAdminMerge**<br>
This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions.
If you disable or do not configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, management settings will override preference settings.
If you disable or don't configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, management settings will override preference settings.
If you enable this setting, only items defined by management will be used in the resulting effective policy. Managed settings will override preference settings configured by the local administrator.
> [!NOTE]
> Applying this setting will not remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in **Get-MpPreference**.
> Applying this setting won't remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in **Get-MpPreference**.
Supported OS versions: Windows 10
@ -621,14 +621,14 @@ Valid values are:
- 0 (default) Disable.
<a href="" id="configuration-hideexclusionsfromlocaladmins"></a>**Configuration/HideExclusionsFromLocalAdmins**<br>
This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that are not Local Admins) exclusions are not visible, whether or not this setting is enabled.
This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled.
If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell.
If you disable or don't configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell.
If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app, in the registry, or via PowerShell.
> [!NOTE]
> Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.
> Applying this setting won't remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.
Supported OS versions: Windows 10
@ -641,7 +641,7 @@ Valid values are:
- 0 (default) Disable.
<a href="" id="configuration-disablecputhrottleonidlescans"></a>**Configuration/DisableCpuThrottleOnIdleScans**<br>
Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.
Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag will have no impact and normal throttling will occur.
The data type is integer.
@ -682,7 +682,7 @@ Supported operations are Add, Delete, Get, Replace.
<a href="" id="configuration-enablefilehashcomputation"></a>**Configuration/EnableFileHashComputation**
Enables or disables file hash computation feature.
When this feature is enabled Windows Defender will compute hashes for files it scans.
When this feature is enabled, Windows Defender will compute hashes for files it scans.
The data type is integer.
@ -701,11 +701,11 @@ Supported operations are Add, Delete, Get, Replace.
Intune Support log location setting UX supports three states:
- Not configured (default) - Does not have any impact on the default state of the device.
- Not configured (default) - Doesn't have any impact on the default state of the device.
- 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path.
- 0 - Disabled. Turns off the Support log location feature.
When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
When enabled or disabled exists on the client and admin moves the setting to be configured not , it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
More details:
@ -725,7 +725,7 @@ Current Channel (Broad): Devices will be offered updates only after the gradual
Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only
If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
If you disable or don't configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
The data type is integer.
@ -758,7 +758,7 @@ Current Channel (Broad): Devices will be offered updates only after the gradual
Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only
If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
If you disable or don't configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
The data type is integer.
@ -784,7 +784,7 @@ Current Channel (Staged): Devices will be offered updates after the release cycl
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
If you disable or don't configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
@ -801,12 +801,12 @@ More details:
<a href="" id="configuration-disablegradualrelease"></a>**Configuration/DisableGradualRelease**
Enable this policy to disable gradual rollout of monthly and daily Microsoft Defender updates.
Devices will be offered all Microsoft Defender updates after the gradual release cycle completes. This is best for datacenters that only receive limited updates.
Devices will be offered all Microsoft Defender updates after the gradual release cycle completes. This facility for devices is best for datacenters that only receive limited updates.
> [!NOTE]
> This setting applies to both monthly as well as daily Microsoft Defender updates and will override any previously configured channel selections for platform and engine updates.
If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices.
If you disable or don't configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices.
The data type is integer.

8
windows/client-management/mdm/devicemanageability-csp.md
View File

@ -17,9 +17,9 @@ ms.date: 11/01/2017
The DeviceManageability configuration service provider (CSP) is used to retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information.
For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that both the paths return the same information.
The following shows the DeviceManageability configuration service provider in a tree format.
The following example shows the DeviceManageability configuration service provider in a tree format.
```
./Device/Vendor/MSFT
DeviceManageability
@ -46,14 +46,14 @@ Added in Windows 10, version 1709. Interior node.
Added in Windows 10, version 1709. Provider ID of the configuration source. ProviderID should be unique among the different config sources.
<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/ConfigInfo**
Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to be used during sync session.
Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to use during sync session.
ConfigInfo value can only be set by the provider that owns the ProviderID. The value is readable by other config sources.
Data type is string. Supported operations are Add, Get, Delete, and Replace.
<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/EnrollmentInfo**
Added in Windows 10, version 1709. Enrollment information string value set by the configuration source and sent during MDM enrollment. It is readable by MDM server during sync session.
Added in Windows 10, version 1709. Enrollment information string value set by the configuration source and sent during MDM enrollment. It's readable by MDM server during sync session.
Data type is string. Supported operations are Add, Get, Delete, and Replace. 

50
windows/client-management/mdm/devicestatus-csp.md
View File

@ -17,7 +17,7 @@ ms.date: 06/25/2021
The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
The following shows the DeviceStatus configuration service provider in tree format.
The following example shows the DeviceStatus configuration service provider in tree format.
```
./Vendor/MSFT
DeviceStatus
@ -67,7 +67,7 @@ DeviceStatus
The root node for the DeviceStatus configuration service provider.
<a href="" id="devicestatus-securebootstate"></a>**DeviceStatus/SecureBootState**
Indicates whether secure boot is enabled. The value is one of the following:
Indicates whether secure boot is enabled. The value is one of the following values:
- 0 - Not supported
- 1 - Enabled
@ -136,7 +136,7 @@ Boolean value that indicates whether the network card associated with the MAC ad
Supported operation is Get.
<a href="" id="devicestatus-networkidentifiers-macaddress-type"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**
Type of network connection. The value is one of the following:
Type of network connection. The value is one of the following values:
- 2 - WLAN (or other Wireless interface)
- 1 - LAN (or other Wired interface)
@ -148,7 +148,7 @@ Supported operation is Get.
Node for the compliance query.
<a href="" id="devicestatus-compliance-encryptioncompliance"></a>**DeviceStatus/Compliance/EncryptionCompliance**
Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following:
Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following values:
- 0 - Not encrypted
- 1 - Encrypted
@ -194,9 +194,9 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi
Valid values:
- 0 - The security software reports that it is not the most recent version.
- 1 (default) - The security software reports that it is the most recent version.
- 2 Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesnt exist.)
- 0 - The security software reports that it isn't the most recent version.
- 1 (default) - The security software reports that it's the most recent version.
- 2 Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
Supported operation is Get.
@ -213,9 +213,9 @@ Valid values:
- 0 Antivirus is on and monitoring.
- 1 Antivirus is disabled.
- 2 Antivirus is not monitoring the device/PC or some options have been turned off.
- 2 Antivirus isn't monitoring the device/PC or some options have been turned off.
- 3 (default) Antivirus is temporarily not completely monitoring the device/PC.
- 4 Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesnt exist.)
- 4 Antivirus not applicable for this device. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
Supported operation is Get.
@ -229,9 +229,9 @@ Added in Windows, version 1607. Integer that specifies the status of the antisp
Valid values:
- 0 - The security software reports that it is not the most recent version.
- 1 - The security software reports that it is the most recent version.
- 2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesnt exist.)
- 0 - The security software reports that it isn't the most recent version.
- 1 - The security software reports that it's the most recent version.
- 2 - Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
Supported operation is Get.
@ -246,10 +246,10 @@ Added in Windows, version 1607. Integer that specifies the status of the antisp
Valid values:
- 0 - The status of the security provider category is good and does not need user attention.
- 1 - The status of the security provider category is not monitored by Windows Security.
- 0 - The status of the security provider category is good and doesn't need user attention.
- 1 - The status of the security provider category isn't monitored by Windows Security.
- 2 - The status of the security provider category is poor and the computer may be at risk.
- 3 - The security provider category is in snooze state. Snooze indicates that the Windows Security Service is not actively protecting the computer.
- 3 - The security provider category is in snooze state. Snooze indicates that the Windows Security Service isn't actively protecting the computer.
Supported operation is Get.
@ -265,9 +265,9 @@ Valid values:
- 0 Firewall is on and monitoring.
- 1 Firewall has been disabled.
- 2 Firewall is not monitoring all networks or some rules have been turned off.
- 2 Firewall isn't monitoring all networks or some rules have been turned off.
- 3 (default) Firewall is temporarily not monitoring all networks.
- 4 Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesnt exist.)
- 4 Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
Supported operation is Get.
@ -292,21 +292,21 @@ Added in Windows, version 1607. Integer that specifies the status of the batter
Supported operation is Get.
<a href="" id="devicestatus-battery-estimatedchargeremaining"></a>**DeviceStatus/Battery/EstimatedChargeRemaining**
Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
Supported operation is Get.
<a href="" id="devicestatus-battery-estimatedruntime"></a>**DeviceStatus/Battery/EstimatedRuntime**
Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
Supported operation is Get.
<a href="" id="devicestatus-domainname"></a>**DeviceStatus/DomainName**
Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device is not domain-joined, it returns an empty string.
Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device isn't domain-joined, it returns an empty string.
Supported operation is Get.
@ -322,15 +322,15 @@ Added in Windows, version 1709. Virtualization-based security hardware requirem
- 0x1: SecureBoot required
- 0x2: DMA Protection required
- 0x4: HyperV not supported for Guest VM
- 0x8: HyperV feature is not available
- 0x8: HyperV feature isn't available
Supported operation is Get.
<a href="" id="devicestatus-deviceguard-virtualizationbasedsecuritystatus"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**
Added in Windows, version 1709. Virtualization-based security status. Value is one of the following:
Added in Windows, version 1709. Virtualization-based security status. Value is one of the following values:
- 0 - Running
- 1 - Reboot required
- 2 - 64 bit architecture required
- 2 - 64-bit architecture required
- 3 - Not licensed
- 4 - Not configured
- 5 - System doesn't meet hardware requirements

12
windows/client-management/mdm/devinfo-csp.md
View File

@ -1,6 +1,6 @@
---
title: DevInfo CSP
description: Learn now the DevInfo configuration service provider handles the managed object which provides device information to the OMA DM server.
description: Learn how the DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server.
ms.assetid: d3eb70db-1ce9-4c72-a13d-651137c1713c
ms.reviewer:
manager: dansimp
@ -15,16 +15,16 @@ ms.date: 06/26/2017
# DevInfo CSP
The DevInfo configuration service provider handles the managed object which provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
The DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
 
For the DevInfo CSP, you cannot use the Replace command unless the node already exists.
For the DevInfo CSP, you can't use the Replace command unless the node already exists.
The following shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol is not supported by this configuration service provider.
The following example shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol isn't supported by this configuration service provider.
```
.
DevInfo
@ -52,14 +52,14 @@ The **UseHWDevID** parm of the [DMAcc configuration service provider](dmacc-csp.
<a href="" id="man"></a>**Man**
Required. Returns the name of the OEM. For Windows 10 for desktop editions, it returns the SystemManufacturer as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemManufacturer.
If no name is found, this returns "Unknown".
If no name is found, the value returned is "Unknown".
Supported operation is Get.
<a href="" id="mod"></a>**Mod**
Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10 for desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName.
If no name is found, this returns "Unknown".
If no name is found, the value returned is "Unknown".
Supported operation is Get.

8
windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
View File

@ -19,7 +19,7 @@ To help diagnose enrollment or device management issues in Windows 10 devices m
## Download the MDM Diagnostic Information log from Windows 10 PCs
1. On your managed device go to **Settings** > **Accounts** > **Access work or school**.
1. On your managed device, go to **Settings** > **Accounts** > **Access work or school**.
1. Click your work or school account, then click **Info.**
![Access work or school page in Settings.](images/diagnose-mdm-failures15.png)
@ -88,7 +88,7 @@ You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC
## Collect logs remotely from Windows 10 PCs
When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this. The [DiagnosticLog CSP](diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels:
When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this facility. The [DiagnosticLog CSP](diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels:
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FAdmin
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug
@ -234,7 +234,7 @@ After the logs are collected on the device, you can retrieve the files through t
## View logs
For best results, ensure that the PC or VM on which you are viewing logs matches the build of the OS from which the logs were collected.
For best results, ensure that the PC or VM on which you're viewing logs matches the build of the OS from which the logs were collected.
1. Open eventvwr.msc.
2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**.
@ -256,7 +256,7 @@ For best results, ensure that the PC or VM on which you are viewing logs matches
![event filter for Device Management.](images/diagnose-mdm-failures13.png)
7. Now you are ready to start reviewing the logs.
7. Now you're ready to start reviewing the logs.
![event viewer review logs.](images/diagnose-mdm-failures14.png)

52
windows/client-management/mdm/diagnosticlog-csp.md
View File

@ -18,16 +18,16 @@ The DiagnosticLog configuration service provider (CSP) provides the following fe
- [DiagnosticArchive area](#diagnosticarchive-area). Capture and upload event logs, log files, and registry values for troubleshooting.
- [Policy area](#policy-area). Configure Windows event log policies, such as maximum log size.
- [EtwLog area](#etwlog-area). Control ETW trace sessions.
- [DeviceStateData area](#devicestatedata-area). Provide additional device information.
- [DeviceStateData area](#devicestatedata-area). Provide more device information.
- [FileDownload area](#filedownload-area). Pull trace and state data directly from the device.
The following are the links to different versions of the DiagnosticLog CSP DDF files:
The links to different versions of the DiagnosticLog CSP DDF files are:
- [DiagnosticLog CSP version 1.4](diagnosticlog-ddf.md#version-1-4)
- [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3)
- [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2)
The following shows the DiagnosticLog CSP in tree format.
The following example shows the DiagnosticLog CSP in tree format.
```
./Vendor/MSFT/DiagnosticLog
@ -90,7 +90,7 @@ The data type is string.
Expected value:
Set and Execute are functionality equivalent, and each accepts a `Collection` XML snippet (as a string) describing what data to gather and where to upload it. The results are zipped and uploaded to the specified SasUrl. The zipped filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip".
The following is an example of a `Collection` XML.
An example of a `Collection` XML is:
``` xml
<Collection>
@ -113,7 +113,7 @@ The XML should include the following elements within the `Collection` element:
The ID value uniquely identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value. The CSP expects the value to be populated when the request is received, so it must be generated by the IT admin or the management server.
**SasUrl**
The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It is the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could:
The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It's the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could:
- Provision cloud storage reachable by the target device, such as a Microsoft Azure blob storage container
- Generate a Shared Access Signature URL granting the possessor (the target device) time-limited write access to the storage container
- Pass this value to the CSP on the target device through the `Collection` XML as the `SasUrl` value.
@ -124,7 +124,7 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- Exports all of the key names and values under a given path (recursive).
- Expected input value: Registry path such as "HKLM\Software\Policies".
- Output format: Creates a .reg file, similar to the output of reg.exe EXPORT command.
- Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, registry paths are restricted to those under HKLM and HKCR.
- Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, registry paths are restricted to those paths that're under HKLM and HKCR.
- **Events**
- Exports all events from the named Windows event log.
@ -132,9 +132,9 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- Output format: Creates a .evtx file.
- **Commands**
- This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives are not a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files.
- This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives aren't a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files.
- Expected input value: The full command line including path and any arguments, such as `%windir%\\system32\\ipconfig.exe /all`.
- Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands which may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter.
- Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands that may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter.
- Privacy guardrails: To enable diagnostic data capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only the following commands are allowed:
- %windir%\\system32\\certutil.exe
- %windir%\\system32\\dxdiag.exe
@ -229,11 +229,11 @@ A Get to the above URI will return the results of the data gathering for the las
</SyncML>
```
Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, note that the mdmdiagnosticstool.exe command failed.
Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, the mdmdiagnosticstool.exe command failed.
### Making use of the uploaded data
The zip archive which is created and uploaded by the CSP contains a folder structure like the following:
The zip archive that is created and uploaded by the CSP contains a folder structure like the following example:
```powershell
PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z
@ -270,7 +270,7 @@ Administrators can apply automation to 'results.xml' to create their own preferr
```powershell
Select-XML -Path results.xml -XPath '//RegistryKey | //Command | //Events | //FoldersFiles' | Foreach-Object -Begin {$i=1} -Process { [pscustomobject]@{DirectiveNumber=$i; DirectiveHRESULT=$_.Node.HRESULT; DirectiveInput=$_.Node.('#text')} ; $i++}
```
This example produces output similar to the following:
This example produces output similar to the following output:
```
DirectiveNumber DirectiveHRESULT DirectiveInput
--------------- ---------------- --------------
@ -327,7 +327,7 @@ foreach( $element in $resultElements )
#endregion
Remove-Item -Path $diagnosticArchiveTempUnzippedPath -Force -Recurse
```
That example script produces a set of files similar to the following, which can be a useful view for an administrator interactively browsing the results without needing to navigate any sub-folders or refer to `results.xml` repeatedly:
That example script produces a set of files similar to the following set of files, which can be a useful view for an administrator interactively browsing the results without needing to navigate any subfolders or refer to `results.xml` repeatedly:
```powershell
PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip_formatted | format-table Length,Name
@ -363,7 +363,7 @@ Added in version 1.4 of the CSP in Windows 10, version 1903. Node that contains
The supported operation is Get.
<a href="" id="policy-channels-channelname"></a>**Policy/Channels/_ChannelName_**
Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to represent a registered channel. The node name must be a valid Windows event log channel name, such as ``Microsoft-Client-Licensing-Platform%2FAdmin``. When specifying the name in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI.
Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to represent a registered channel. The node name must be a valid Windows event log channel name, such as ``Microsoft-Client-Licensing-Platform%2FAdmin``. When the name is being specified in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI.
Supported operations are Add, Delete, and Get.
@ -430,7 +430,7 @@ Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte and 2 terabytes in megabyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.
If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.
Supported operations are Add, Delete, Get, and Replace.
@ -627,11 +627,11 @@ Supported operations are Add, Delete, Get, and Replace.
The data type is string.
The following are the possible values:
- Truncate When the log file reaches its maximum file size, new events are not written to the log and are lost.
- Truncate—When the log file reaches its maximum file size, new events aren't written to the log and are lost.
- Overwrite—When the log file reaches its maximum file size, new events overwrite old events.
- Archive When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value is not set, the new file is saved in the same directory as current log file.
- Archive—When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value isn't set, the new file is saved in the same directory as current log file.
If you disable or do not configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but do not replace local configuration.
If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration.
Add **ActionWhenFull**
@ -731,7 +731,7 @@ The following are the possible values:
- TRUE—Enables the channel.
- FALSE—Disables the channel.
If you disable or do not configure this policy setting, the locally configured value is used as default.
If you disable or don't configure this policy setting, the locally configured value is used as default.
Get **Enabled**
``` xml
@ -844,7 +844,7 @@ For each collector node, the user can:
- Change trace log file mode
- Change trace log file size limit
The configurations log file mode and log file size limit does not take effect while trace session is in progress. These are applied when user stops the current session and then starts it again for this collector.
The configurations log file mode and log file size limit don't take effect while trace session is in progress. These attributes are applied when user stops the current session and then starts it again for this collector.
For each registered provider in this collector, the user can:
@ -859,7 +859,7 @@ The changes on **State**, **Keywords**, and **TraceLevel** takes effect immediat
### Channel-based tracing
The type of event tracing exports event data from a specific channel. This is only supported on the desktop.
The type of event tracing exports event data from a specific channel. This method is only supported on the desktop.
Users can add or delete a channel node using the full name, such as Microsoft-Windows-AppModel-Runtime/Admin.
@ -990,7 +990,7 @@ The following table lists the possible values:
The supported operation is Execute.
After you have added a logging task, you can start a trace by running an Execute command on this node with the value START.
After you've added a logging task, you can start a trace by running an Execute command on this node with the value START.
To stop the trace, running an execute command on this node with the value STOP.
@ -1208,7 +1208,7 @@ The following table lists the possible values:
| Value | Description |
| ----- | ------------------ |
| TRUE | Provider is enabled in the trace session. This is the default. |
| TRUE | Provider is enabled in the trace session. This value is the default value. |
| FALSE | Provider is disabled in the trace session. |
Set provider **State**
@ -1395,7 +1395,7 @@ Set channel **State**
## DeviceStateData area
The DeviceStateData functionality within the DiagnosticLog CSP provides additional device information.
The DeviceStateData functionality within the DiagnosticLog CSP provides extra device information.
The following section describes the nodes for the DeviceStateData functionality.
@ -1434,10 +1434,10 @@ The FileDownload feature of the DiagnosticLog CSP enables a management server to
### Comparing FileDownload and DiagnosticArchive
Both the FileDownload and DiagnosticArchive features can be used to get data from the device to the management server, but they are optimized for different workflows.
Both the FileDownload and DiagnosticArchive features can be used to get data from the device to the management server, but they're optimized for different workflows.
- FileDownload enables the management server to directly pull byte-level trace data from the managed device. The data transfer takes place through the existing OMA-DM/SyncML context. It is typically used together with the EtwLogs feature as part of an advanced monitoring or diagnostic flow. FileDownlod requires granular orchestration by the management server, but avoids the need for dedicated cloud storage.
- DiagnosticArchive allows the management server to give the CSP a full set of instructions as single command. Based on those instructions the CSP orchestrates the work client-side to package the requested diagnostic files into a zip archive and upload that archive to cloud storage. The data transfer happens outside of the OMA-DM session, via an HTTP PUT.
- FileDownload enables the management server to directly pull byte-level trace data from the managed device. The data transfer takes place through the existing OMA-DM/SyncML context. It's used together with the EtwLogs feature as part of an advanced monitoring or diagnostic flow. FileDownlod requires granular orchestration by the management server, but avoids the need for dedicated cloud storage.
- DiagnosticArchive allows the management server to give the CSP a full set of instructions as single command. Based on those instructions, the CSP orchestrates the work client-side to package the requested diagnostic files into a zip archive and upload that archive to cloud storage. The data transfer happens outside of the OMA-DM session, via an HTTP PUT.
The following section describes the nodes for the FileDownload functionality.

36
windows/client-management/mdm/dmacc-csp.md
View File

@ -21,9 +21,9 @@ The DMAcc configuration service provider allows an OMA Device Management (DM) ve
For the DMAcc CSP, you cannot use the Replace command unless the node already exists.
For the DMAcc CSP, you can't use the Replace command unless the node already exists.
The following shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol is not supported by this configuration service provider.
The following example shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol isn't supported by this configuration service provider.
```
./SyncML
@ -103,7 +103,7 @@ Required.
<a href="" id="appaddr-objectname"></a>**AppAddr/**<strong>*ObjectName*</strong>
Required. Defines the OMA DM server address. Only one server address can be configured.
When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is "1". This is the first DM address encountered in the w7 APPLICATION configuration service provider, other DM accounts are ignored.
When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is "1". This DM address is the first one encountered in the w7 APPLICATION configuration service provider; other DM accounts are ignored.
<a href="" id="objectname-addr"></a>***ObjectName*/Addr**
Required. Specifies the address of the OMA DM account. The type of address stored is specified by the AddrType element.
@ -125,10 +125,10 @@ Optional.
<a href="" id="port-objectname"></a>**Port/**<strong>*ObjectName*</strong>
Required. Only one port number can be configured.
When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is "1".
When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is "1".
<a href="" id="objectname-portnbr"></a>***ObjectName*/PortNbr**
Required. Specifies the port number of the OMA MD account address. This must be a decimal number that fits within the range of a 16-bit unsigned integer.
Required. Specifies the port number of the OMA MD account address. This number must be a decimal number that fits within the range of a 16-bit unsigned integer.
Value type is string. Supported operations are Add, Get, and Replace.
@ -137,7 +137,7 @@ Optional. Specifies the application authentication preference.
A value of "BASIC" specifies that the client attempts BASIC authentication. A value of "DIGEST' specifies that the client attempts MD5 authentication.
If this value is empty, the client attempts to use the authentication mechanism negotiated in the previous session if one exists. If the value is empty, no previous session exists, and MD5 credentials exist, clients try MD5 authorization first. If the criteria are not met then the client tries BASIC authorization first.
If this value is empty, the client attempts to use the authentication mechanism negotiated in the previous session if one exists. If the value is empty, no previous session exists, and MD5 credentials exist, clients try MD5 authorization first. If the criteria aren't met, then the client tries BASIC authorization first.
Value type is string. Supported operations are Add, Get, and Replace.
@ -147,7 +147,7 @@ Optional. Defines authentication settings.
<a href="" id="appauth-objectname"></a>**AppAuth/**<strong>*ObjectName*</strong>
Required. Defines one set of authentication settings.
When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is same name as the AAuthLevel value ("CLRED" or "SRVCRED").
When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is same name as the AAuthLevel value ("CLRED" or "SRVCRED").
<a href="" id="objectname-aauthlevel"></a>***ObjectName*/AAuthlevel**
Required. Specifies the application authentication level.
@ -176,7 +176,7 @@ Value type is string. Supported operations are Add and Replace.
<a href="" id="objectname-aauthdata"></a>***ObjectName*/AAuthData**
Optional. Specifies the next nonce used for authentication.
"Nonce" refers to a number used once. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in repeat attacks.
"Nonce" refers to a number used once. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in repeat attacks.
Value type is binary. Supported operations are Add and Replace.
@ -226,16 +226,16 @@ The default value is 86400000.
Value type is integer. Supported operations are Add, Get, and Replace.
<a href="" id="microsoft-protover"></a>**Microsoft/ProtoVer**
Optional. Specifies the OMA DM Protocol version that the server supports. There is no default value.
Optional. Specifies the OMA DM Protocol version that the server supports. There's no default value.
Valid values are "1.1" and "1.2". The protocol version set by this element will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this element is not specified when adding a DM server account, the latest DM protocol version that the client supports is used. Windows 10 clients support version 1.2.
Valid values are "1.1" and "1.2". The protocol version set by this element will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this element isn't specified when adding a DM server account, the latest DM protocol version that the client supports is used. Windows 10 clients support version 1.2.
Value type is string. Supported operations are Add, Get, and Replace.
<a href="" id="microsoft-role"></a>**Microsoft/Role**
Required. Specifies the role mask that the OMA DM session runs with when it communicates with the server.
If this parameter is not present, the DM session is given the role mask of the OMA DM session that the server created. The following list shows the valid security role masks and their values.
If this parameter isn't present, the DM session is given the role mask of the OMA DM session that the server created. The following list shows the valid security role masks and their values.
- 4 = SECROLE\_OPERATOR
@ -245,7 +245,7 @@ If this parameter is not present, the DM session is given the role mask of the O
- 128 = SECROLE\_OPERATOR\_TPS
The acceptable access roles for this node cannot be more than the roles assigned to the DMAcc object.
The acceptable access roles for this node can't be more than the roles assigned to the DMAcc object.
Value type is integer. Supported operations are Get and Replace.
@ -267,9 +267,9 @@ Value type is bool. Supported operations are Add, Get, and Replace.
<a href="" id="microsoft-usenonceresync"></a>**Microsoft/UseNonceResync**
Optional. Specifies whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication. The default is "FALSE".
If the authentication fails because the server nonce does not match the server nonce that is stored on the device, then the device can use the backup nonce as the server nonce. For this procedure to be successful, if the device did not authenticate with the preconfigured nonce value, the server must then use the backup nonce when sending the signed server notification message.
If the authentication fails because the server nonce doesn't match the server nonce that is stored on the device, then the device can use the backup nonce as the server nonce. For this procedure to be successful, if the device didn't authenticate with the preconfigured nonce value, the server must then use the backup nonce when sending the signed server notification message.
The default value of "FALSE" specifies that the client does not try to authenticate the notification with the backup server nonce if authentication to the stored nonce fails. A value of "TRUE" specifies that the client initiates a DM session if the backup server nonce is received after authentication failed.
The default value of "FALSE" specifies that the client doesn't try to authenticate the notification with the backup server nonce if authentication to the stored nonce fails. A value of "TRUE" specifies that the client initiates a DM session if the backup server nonce is received after authentication failed.
Value type is bool. Supported operations are Add, Get, and Replace.
@ -284,19 +284,19 @@ Optional. Determines whether the OMA DM client should be launched when roaming.
Value type is bool. Supported operations are Add, Get, and Replace.
<a href="" id="sslclientcertsearchcriteria"></a>**SSLCLIENTCERTSEARCHCRITERIA**
Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter is used to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it is ignored.
Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter is used to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it's ignored.
The string is a concatenation of name/value pairs, each member of the pair delimited by the "&" character. The name and values are delimited by the "=" character. If there are multiple values, each value is delimited by the Unicode character "U+F000". If the name or value contains characters not in the UNRESERVED set (as specified in RFC2396), then those characters are URI-escaped per the RFC.
The supported names are Subject and Stores; wildcard certificate search is not supported.
The supported names are Subject and Stores; wildcard certificate search isn't supported.
Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name is not case sensitive.
Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive.
> **Note**   %EF%80%80 is the UTF8-encoded character U+F000.
Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following:
Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following schema:
```xml
<parm name="SSLCLIENTCERTSEARCHCRITERIA"

4
windows/client-management/mdm/dmsessionactions-csp.md
View File

@ -21,7 +21,7 @@ The DMSessionActions configuration service provider (CSP) is used to manage:
This CSP was added in Windows 10, version 1703.
The following shows the DMSessionActions configuration service provider in tree format.
The following example shows the DMSessionActions configuration service provider in tree format.
```
./User/Vendor/MSFT
DMSessionActions
@ -92,7 +92,7 @@ DMSessionActions
<p>Value type is string. Supported operation is Get.</p>
<a href="" id="powersettings"></a>**PowerSettings**
<p>Node for power-related configrations</p>
<p>Node for power-related configurations</p>
<a href="" id="maxskippedsessionsinlowpowerstate"></a>**PowerSettings/MaxSkippedSessionsInLowPowerState**
<p>Maximum number of continuous skipped sync sessions when the device is in low-power state.</p>

6
windows/client-management/mdm/dynamicmanagement-csp.md
View File

@ -14,11 +14,11 @@ ms.collection: highpri
# DynamicManagement CSP
Windows 10 allows you to manage devices differently depending on location, network, or time.  In Windows 10, version 1703 the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device cant reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
Windows 10 allows you to manage devices differently depending on location, network, or time.  In Windows 10, version 1703 the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device cant reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
This CSP was added in Windows 10, version 1703.
The following shows the DynamicManagement configuration service provider in tree format.
The following example shows the DynamicManagement configuration service provider in tree format.
```
./Device/Vendor/MSFT
DynamicManagement
@ -85,7 +85,7 @@ DynamicManagement
<p>Value type is integer. Supported operation is Get.</p>
<a href="" id="altitude"></a>**Altitude**
<p>A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.</p>
<p>A value that determines how to handle conflict resolution of applying multiple contexts on the device. This value is required and must be distinct of other priorities.</p>
<p>Value type is integer. Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="alertsenabled"></a>**AlertsEnabled**

26
windows/client-management/mdm/eap-configuration.md
View File

@ -34,7 +34,7 @@ To get the EAP configuration from your desktop using the rasphone tool that is s
![vpnv2 csp set up connection.](images/vpnv2-csp-setupnewconnection.png)
1. Enter an Internet address and connection name. These can be fake since it does not impact the authentication parameters.
1. Enter an Internet address and connection name. These details can be fake since it doesn't impact the authentication parameters.
![vpnv2 csp set up connection 2.](images/vpnv2-csp-setupnewconnection2.png)
@ -60,7 +60,7 @@ To get the EAP configuration from your desktop using the rasphone tool that is s
Get-VpnConnection -Name Test
```
<a href="" id="pow"></a>Here is an example output.
<a href="" id="pow"></a>Here's an example output.
``` syntax
Name : Test
@ -88,7 +88,7 @@ To get the EAP configuration from your desktop using the rasphone tool that is s
$a.EapConfigXmlStream.InnerXml
```
Here is an example output.
Here's an example output.
```xml
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.co
@ -116,18 +116,18 @@ To get the EAP configuration from your desktop using the rasphone tool that is s
## EAP certificate filtering
In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you might see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria so that it matches only one certificate.
In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned doesn't have a strict filtering criteria, you might see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria so that it matches only one certificate.
Enterprises deploying certificate-based EAP authentication for VPN and Wi-Fi can encounter a situation where there are multiple certificates that meet the default criteria for authentication. This can lead to issues such as:
Enterprises deploying certificate-based EAP authentication for VPN and Wi-Fi can encounter a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as:
- The user might be prompted to select the certificate.
- The wrong certificate might be auto-selected and cause an authentication failure.
A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication.
EAP XML must be updated with relevant information for your environment. This can be done manually by editing the following XML sample, or by using the step-by-step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
EAP XML must be updated with relevant information for your environment. This task can be done manually by editing the following XML sample, or by using the step-by-step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
- For Wi-Fi, look for the `<EAPConfig>` section of your current WLAN Profile XML. (This is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags you will find the complete EAP configuration. Replace the section under `<EAPConfig>` with your updated XML and update your Wi-Fi profile. You can refer to your MDMs guidance on how to deploy a new Wi-Fi profile.
- For Wi-Fi, look for the `<EAPConfig>` section of your current WLAN Profile XML. (This section is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags you'll find the complete EAP configuration. Replace the section under `<EAPConfig>` with your updated XML and update your Wi-Fi profile. You can refer to your MDMs guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP configuration is a separate field in the MDM configuration. Work with your MDM provider to identify and update the appropriate field.
For information about EAP settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>.
@ -142,13 +142,13 @@ The following list describes the prerequisites for a certificate to be used with
- The certificate must have at least one of the following EKU properties:
- Client Authentication. As defined by RFC 5280, this is a well-defined OID with value 1.3.6.1.5.5.7.3.2.
- Any Purpose. This is an EKU defined and published by Microsoft, and is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that additional non-critical or custom EKUs can still be added to the certificate for effective filtering.
- All Purpose. As defined by RFC 5280, if a CA includes EKUs to satisfy some application needs, but does not want to restrict usage of the key, the CA can add an EKU value of 0. A certificate with such an EKU can be used for all purposes.
- Client Authentication. As defined by RFC 5280, this property is a well-defined OID with value 1.3.6.1.5.5.7.3.2.
- Any Purpose. This property is an EKU-defined one and is published by Microsoft, and is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering.
- All Purpose. As defined by RFC 5280, if a CA includes EKUs to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an EKU value of 0. A certificate with such an EKU can be used for all purposes.
- The user or the computer certificate on the client must chain to a trusted root CA.
- The user or the computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
- The user or the computer certificate does not fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
- The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
- The user or the computer certificate doesn't fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.
The following XML sample explains the properties for the EAP TLS XML, including certificate filtering.
@ -265,7 +265,7 @@ The following XML sample explains the properties for the EAP TLS XML, including
Alternatively, you can use the following procedure to create an EAP configuration XML:
1. Follow steps 1 through 7 in the EAP configuration article.
1. In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this selects EAP TLS).
1. In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this value selects EAP TLS).
![vpn self host properties window.](images/certfiltering1.png)

12
windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
View File

@ -57,11 +57,11 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
4. Double-click **Enable App-V Client**.
The **Options** section is empty, which means there are no parameters necessary to enable the policy. If the **Options** section is not empty, follow the procedure in [Enable a policy that requires parameters](#enable-a-policy-that-requires-parameters)
The **Options** section is empty, which means there are no parameters necessary to enable the policy. If the **Options** section isn't empty, follow the procedure in [Enable a policy that requires parameters](#enable-a-policy-that-requires-parameters)
![Enable App-V client.](images/admx-appv-enableapp-vclient.png)
3. Create the SyncML to enable the policy that does not require any parameter.
3. Create the SyncML to enable the policy that doesn't require any parameter.
In this example, you configure **Enable App-V Client** to **Enabled**.
@ -114,9 +114,9 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
4. Search for GP name **Publishing_Server2_policy**.
5. Under **policy name="Publishing_Server2_Policy"** you can see the \<elements> listed. The *text id* and *enum id* represents the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor.
5. Under **policy name="Publishing_Server2_Policy"** you can see the \<elements> listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor.
Here is the snippet from appv.admx:
Here's the snippet from appv.admx:
```xml
<!-- Publishing Server 2 -->
@ -208,7 +208,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
6. From the **\<elements>** tag, copy all of the *text id* and *enum id* and create an XML with *data id* and *value* fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor.
Here is the example XML for Publishing_Server2_Policy:
Here's the example XML for Publishing_Server2_Policy:
```xml
<data id="Publishing_Server2_Name_Prompt" value="Name"/>
@ -225,7 +225,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
7. Create the SyncML to enable the policy. Payload contains \<enabled/> and name/value pairs.
Here is the example for **AppVirtualization/PublishingAllowServer2**:
Here's the example for **AppVirtualization/PublishingAllowServer2**:
> [!NOTE]
> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.

48
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -20,17 +20,17 @@ ms.collection: highpri
Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices.
The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
Requirements:
- Active Directory-joined PC running Windows 10, version 1709 or later
- The enterprise has configured a mobile device management (MDM) service
- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad)
- The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) for more information.
- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. For more information, see [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan).
> [!TIP]
> For additional information, see the following topics:
> For more information, see the following topics:
> - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
> - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
> - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md)
@ -42,7 +42,7 @@ The auto-enrollment relies on the presence of an MDM service and the Azure Activ
When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins)
In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For more information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins)
For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices.
@ -54,7 +54,7 @@ The following steps demonstrate required settings using the Intune service:
:::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png":::
2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM). For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM). For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png)
@ -64,7 +64,7 @@ The following steps demonstrate required settings using the Intune service:
> For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
3. Verify that the device OS version is Windows 10, version 1709 or later.
4. Auto-enrollment into Intune via Group Policy is valid only for devices which are hybrid Azure AD joined. This means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line.
4. Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line.
You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**.
@ -86,10 +86,10 @@ The following steps demonstrate required settings using the Intune service:
:::image type="content" alt-text="Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png":::
7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune.
7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune.
You may contact your domain administrators to verify if the group policy has been deployed successfully.
8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal).
8. Verify that the device isn't enrolled with the old Intune client used on the Intune Silverlight Portal (the Intune portal used before the Azure portal).
9. Verify that Microsoft Intune should allow enrollment of Windows devices.
@ -97,7 +97,7 @@ You may contact your domain administrators to verify if the group policy has bee
## Configure the auto-enrollment Group Policy for a single PC
This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
Requirements:
- AD-joined PC running Windows 10, version 1709 or later
@ -132,7 +132,7 @@ Requirements:
To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot.
![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png)
@ -146,7 +146,7 @@ Requirements:
![Work School Settings.](images/autoenrollment-settings-work-school.png)
If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app).
If you don't see the **Info** button or the enrollment information, it's possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app).
### Task Scheduler app
@ -161,12 +161,12 @@ Requirements:
:::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png":::
To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab.
To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. The message **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab.
If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy.
> [!NOTE]
> The GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies.
> The GPEdit console does not reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies.
## Configure the auto-enrollment for a group of devices
@ -177,7 +177,7 @@ Requirements:
- Ensure that PCs belong to same computer group.
> [!IMPORTANT]
> If you do not see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible.
> If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible.
1. Download:
@ -222,7 +222,7 @@ Requirements:
5. Copy PolicyDefinitions folder to **\\SYSVOL\contoso.com\policies\PolicyDefinitions**.
If this folder does not exist, then be aware that you will be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain.
If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain.
6. Wait for the SYSVOL DFSR replication to be completed for the policy to be available.
@ -247,19 +247,19 @@ To collect Event Viewer logs:
> [!Tip]
> For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc).
3. Search for event ID 75, which represents a successful auto-enrollment. Here is an example screenshot that shows the auto-enrollment completed successfully:
3. Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully:
:::image type="content" alt-text="Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png" lightbox="images/auto-enrollment-troubleshooting-event-id-75.png":::
If you cannot find event ID 75 in the logs, it indicates that the auto-enrollment failed. This can happen because of the following reasons:
If you can't find event ID 75 in the logs, it indicates that the auto-enrollment failed. This failure can happen because of the following reasons:
- The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here is an example screenshot that shows that the auto-enrollment failed:
- The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here's an example screenshot that shows that the auto-enrollment failed:
:::image type="content" alt-text="Event ID 76." source="images/auto-enrollment-troubleshooting-event-id-76.png" lightbox="images/auto-enrollment-troubleshooting-event-id-76.png":::
To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors) for more information.
To troubleshoot, check the error code that appears in the event. For more information, see [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors).
- The auto-enrollment did not trigger at all. In this case, you will not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section.
- The auto-enrollment didn't trigger at all. In this case, you'll not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section.
The auto-enrollment process is triggered by a task (**Microsoft > Windows > EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is successfully deployed to the target machine as shown in the following screenshot:
@ -278,16 +278,16 @@ To collect Event Viewer logs:
:::image type="content" alt-text="Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png":::
Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment.
The task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It doesn't indicate the success or failure of auto-enrollment.
If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required.
If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there's possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this step still doesn't help, further troubleshooting on the Active Directory is required.
One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
:::image type="content" alt-text="Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png":::
By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016.
A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot:
A resolution to this issue is to remove the registry key manually. If you don't know which registry key to remove, go for the key that displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot:
:::image type="content" alt-text="Manually deleted entries." source="images/auto-enrollment-activation-verification-less-entries.png" lightbox="images/auto-enrollment-activation-verification-less-entries.png":::