From d8849befc689adb51d18d42e00d42c924e8ceaaa Mon Sep 17 00:00:00 2001 From: Steven Tricanowicz Date: Wed, 14 Jun 2017 18:08:02 -0700 Subject: [PATCH 01/23] Cleaning up WSfB REST Data Structures Page Fixing a number of errors, including: - incorrect types - inconsistent types - missing type links - fixing typoes While I'm here, I'm also: - alphabetizing the page - aligning columns across classes/enums - removing unnecessary columns - improving capitalization/punctuation consistency - rewording a couple descriptions --- ...a-structures-windows-store-for-business.md | 431 ++++++++---------- 1 file changed, 200 insertions(+), 231 deletions(-) diff --git a/windows/client-management/mdm/data-structures-windows-store-for-business.md b/windows/client-management/mdm/data-structures-windows-store-for-business.md index 18b093df38..38f80513d0 100644 --- a/windows/client-management/mdm/data-structures-windows-store-for-business.md +++ b/windows/client-management/mdm/data-structures-windows-store-for-business.md @@ -28,6 +28,7 @@ Here's the list of data structures used in the Windows Store for Business REST A - [LicenseType](#licensetype) - [LocalizedProductDetail](#localizedproductdetail) - [OfflineLicense](#offlinelicense) +- [PackageContentInfo](#packagecontentinfo) - [PackageLocation](#packagelocation) - [ProductArchitectures](#productarchitectures) - [ProductDetails](#productdetails) @@ -85,26 +86,22 @@ Specifies the properties of the alternate identifier. --+ - - - + - - +
Name TypeDescription

seatDetails

Collection of [SeatDetails](#seatdetails)

collection of [SeatDetails](#seatdetails)

failedSeatOperations

Collection of [FailedSeatRequest](#failedseatrequest)

collection of [FailedSeatRequest](#failedseatrequest)
@@ -117,31 +114,26 @@ Specifies the properties of the alternate identifier. --+ - - - -
Name TypeDescription

failureReason

string

productKey

[ProductKey](#productkey)

userName

string
@@ -173,7 +165,7 @@ Specifies the properties of the alternate identifier.

contentId

string

-

Identifies a specific application

+

Identifies a specific application.

location

@@ -207,12 +199,12 @@ Specifies the properties of the alternate identifier.

fileSize

-

integer -64

-

+

integer-64

+

Size of the file.

packageRank

-

integer-3232

+

integer-32

Optional

@@ -225,26 +217,22 @@ Specifies the properties of the alternate identifier. --+ - - - @@ -277,7 +265,7 @@ Specifies the properties of the alternate identifier. - + @@ -296,12 +284,12 @@ Specifies the properties of the alternate identifier. - + - + @@ -329,11 +317,11 @@ Specifies the properties of the alternate identifier. - + - + @@ -346,27 +334,23 @@ Specifies the properties of the alternate identifier.
NameType Description

open

Open distribution policy - licenses/seats can be assigned/consumed without limit

restricted

Restricted distribution policy - licenses/seats must be assigned/consumed according to the available count

seatCapacity

integer-64

Total number of seats that have been purchased for an application

Total number of seats that have been purchased for an application.

availableSeats

distributionPolicy

InventoryDistributionPolicy

[InventoryDistributionPolicy](#inventorydistributionpolicy)

status

InventoryStatus

[InventoryStatus](#inventorystatus)

continuationToken

string

continuationToken is only available if there is a next page

Only available if there is a next page.

inventoryEntries

collection of

collection of [InventoryEntryDetails](#inventoryentrydetails)

--+ - - - + - - +
NameType Description

active

Entry is available in the organization’s inventory

Entry is available in the organization’s inventory.

removed

Entry has been removed from the organization’s inventory

Entry has been removed from the organization’s inventory.
@@ -378,8 +362,8 @@ Specifies the properties of the alternate identifier. --++ @@ -497,43 +481,13 @@ Specifies the properties of the localized product.   -## ProductArchitectures - - -
--- - - - - - - - - - - - - - - - - - - - -
Name

neutral

arm

x86

x64

- -  - ## PackageContentInfo --++ @@ -582,6 +536,36 @@ Specifies the properties of the localized product.   +## ProductArchitectures + + +
+++ + + + + + + + + + + + + + + + + + + + +
Name

neutral

arm

x86

x64

+ +  + ## ProductDetails @@ -611,7 +595,7 @@ Specifies the properties of the localized product.

supportedLanguages

-

collection of strings

+

collection of string

The set of localized languages for an application.

@@ -644,10 +628,74 @@ Specifies the properties of the localized product.   +## ProductImage + + +Specifies the properties of the product image. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

location

URI

Location of the download image.

purpose

string

Tag for the purpose of the image, e.g. "screenshot" or "logo".

height

string

Height of the image in pixels.

width

string

Width of the image in pixels.

caption

string

Unlimited length.

backgroundColor

string

Format "#RRGGBB"

foregroundColor

string

Format "#RRGGBB"

fileSize

integer-64

Size of the file.

+ +  + ## ProductKey -Specifies the proerties of the product key. +Specifies the properties of the product key. @@ -678,104 +726,6 @@ Specifies the proerties of the product key.   -## ProductImage - - -Specifies the proerties of the product image. - -
----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescription

location

URI

Location of the download images.

purpose

string

App screenshots and icons

height

string

Height of the image in pixels.

width

string

Width of the image in pixels.

caption

string

Unlimited

backgroundColor

string

Format #RRGGBB

foregroundColor

string

Format #RRGGBB

fileSize

long

Size of the file.

- -  - -## PublisherDetails - - -Specifies the proerties of the publisher details. - - ----- - - - - - - - - - - - - - - - - - - - -
NameTypeDescription

publisherName

string

Name of the publisher.

publisherWebsite

string

Website of the publisher.

- -  - ## ProductPackageDetails @@ -799,15 +749,15 @@ Specifies the proerties of the publisher details.

-

contentId

-

string

-

Identifies a specific application.

- -

packageId

string

+ +

contentId

+

string

+

Identifies a specific application.

+

location

[PackageLocation](#packagelocation)

@@ -831,7 +781,7 @@ Specifies the proerties of the publisher details.

packageFormat

[ProductPackageFormat](#productpackageformat)

-

appx, appxbundle, xap

+

Extension of the package file.

platforms

@@ -839,19 +789,41 @@ Specifies the proerties of the publisher details.

-

packageId

-

string

-

- -

fileSize

integer-64

-

+

Size of the file.

- +

packageRank

integer-32

-

optional

+

Optional

+ + + + +  + +## ProductPackageFormat + + + +++ + + + + + + + + + + + + + +
Name

appx

appxBundle

xap
@@ -890,40 +862,13 @@ Specifies the proerties of the publisher details.   -## ProductPackageFormat - - - --- - - - - - - - - - - - - - - - - -
Name

appx

appxBundle

xap

- -  - ## ProductPlatform --++ @@ -949,6 +894,40 @@ Specifies the proerties of the publisher details.   +## PublisherDetails + + +Specifies the properties of the publisher details. + +
+++++ + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

publisherName

string

Name of the publisher.

publisherWebsite

string

Website of the publisher.

+ +  + ## SeatAction @@ -1020,8 +999,8 @@ Specifies the proerties of the publisher details. --++ @@ -1032,7 +1011,7 @@ Specifies the proerties of the publisher details. - + @@ -1096,7 +1075,7 @@ Specifies the proerties of the publisher details. - +

seats

Collection of [SeatDetails](#seatdetails)

collection of [SeatDetails](#seatdetails)

continuationToken

architectures

collection of ProductArchitectures

collection of [ProductArchitecture](#productarchitecture)
@@ -1108,8 +1087,8 @@ Specifies the proerties of the publisher details. --++ @@ -1120,29 +1099,19 @@ Specifies the proerties of the publisher details. - + - + - + - +

major

integer-23

integer-32

minor

integer-23

integer-32

build

integer-23

integer-32

revision

integer-23

integer-32
- -  - -  - - - - - - From 2436f248fb05f7688fe8a511603a3e723dbc5c71 Mon Sep 17 00:00:00 2001 From: Matt Nelson Date: Tue, 20 Jun 2017 11:07:09 -0400 Subject: [PATCH 02/23] Updated to include fsiAnyCpu.exe Same as FSI.exe, has different fileName. --- .../device-guard/deploy-code-integrity-policies-steps.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index df7aacb570..8f0f7d4c6f 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -38,6 +38,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - csi.exe - dnx.exe - fsi.exe +- fsiAnyCpu.exe - kd.exe - lxssmanager.dll - msbuild.exe[1] @@ -110,6 +111,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + @@ -175,6 +177,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + From 34e135859f64a4c97e03b155c5ecfa8351d7dcce Mon Sep 17 00:00:00 2001 From: Matt Nelson Date: Tue, 20 Jun 2017 12:01:19 -0400 Subject: [PATCH 03/23] Updated to include Alex Ionescu credit Alex contributed to the bash.exe and lxssmanager.dll findings. Reference: https://twitter.com/aionescu/status/876226982534565889 --- .../device-guard/deploy-code-integrity-policies-steps.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 8f0f7d4c6f..5cbed02e22 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -60,6 +60,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you |Matt Graeber | @mattifestation| |Matt Nelson | @enigma0x3| |Oddvar Moe |@Oddvarmoe| +|Alex Ionescu | @aionescu|
From cc29c4ba47afe8c261e643e9dade3e19b0a6875c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 23 Jun 2017 13:07:27 -0700 Subject: [PATCH 04/23] clarified TPM 2.0 requirement --- windows/device-security/tpm/tpm-recommendations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/device-security/tpm/tpm-recommendations.md b/windows/device-security/tpm/tpm-recommendations.md index 1b874b2988..0ccddbb144 100644 --- a/windows/device-security/tpm/tpm-recommendations.md +++ b/windows/device-security/tpm/tpm-recommendations.md @@ -84,7 +84,7 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) -- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) page). +- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. Windows 10 features such as [Windows Hello for Business](https://docs.microsoft.com/windows/access-protection/hello-for-business/hello-manage-in-organization#prerequisites) and [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) do not require TPM 2.0. ### IoT Core From afc2e557d3fd7084faf8ffdde80dadf3f110e940 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 23 Jun 2017 13:46:15 -0700 Subject: [PATCH 05/23] added link to feature table --- windows/device-security/tpm/tpm-recommendations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/device-security/tpm/tpm-recommendations.md b/windows/device-security/tpm/tpm-recommendations.md index 0ccddbb144..d0283a1020 100644 --- a/windows/device-security/tpm/tpm-recommendations.md +++ b/windows/device-security/tpm/tpm-recommendations.md @@ -84,7 +84,7 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) -- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. Windows 10 features such as [Windows Hello for Business](https://docs.microsoft.com/windows/access-protection/hello-for-business/hello-manage-in-organization#prerequisites) and [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) do not require TPM 2.0. +- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn91508.aspx) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features). ### IoT Core From 58e0621f4c6f1cd7e684fb421e2f12a0f8d8005b Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 26 Jun 2017 13:41:38 -0700 Subject: [PATCH 06/23] Updating --- .../application-management/app-v/appv-auto-batch-sequencing.md | 1 + windows/application-management/app-v/appv-auto-batch-updating.md | 1 + 2 files changed, 2 insertions(+) diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md index a90e25e2eb..5de2cf686f 100644 --- a/windows/application-management/app-v/appv-auto-batch-sequencing.md +++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md @@ -155,6 +155,7 @@ There are 3 types of log files that occur when you sequence multiple apps at the - **Log.txt file**. Located in the **Output Package** folder. This file contains all code included in the NewAppVSequencerPackage cmdlet, including the allowed parameters. ### Related topics + - [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - [How to install the App-V Sequencer](appv-install-the-sequencer.md) diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md index 0430b81a0b..9dd0ce0b52 100644 --- a/windows/application-management/app-v/appv-auto-batch-updating.md +++ b/windows/application-management/app-v/appv-auto-batch-updating.md @@ -158,6 +158,7 @@ There are 3 types of log files that occur when you sequence multiple apps at the - **Log.txt file**. Located in the **Output Package** folder. This file contains all code included in the NewAppVSequencerPackage cmdlet, including the allowed parameters. ### Related topics + - [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - [How to install the App-V Sequencer](appv-install-the-sequencer.md) From 7a042ab2a0f82ad2cdb73b3f18efddc16a3b93ce Mon Sep 17 00:00:00 2001 From: Steven Tricanowicz Date: Mon, 26 Jun 2017 14:47:37 -0700 Subject: [PATCH 07/23] Update column width on SupportedProductPlatform Fixing a column width that wasn't aligned with the rest of the page. --- .../mdm/data-structures-windows-store-for-business.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/data-structures-windows-store-for-business.md b/windows/client-management/mdm/data-structures-windows-store-for-business.md index 38f80513d0..00837af89f 100644 --- a/windows/client-management/mdm/data-structures-windows-store-for-business.md +++ b/windows/client-management/mdm/data-structures-windows-store-for-business.md @@ -1051,8 +1051,8 @@ Specifies the properties of the publisher details. --++ From deca044ecbb30a8c88d9003533ced79834f41e01 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 26 Jun 2017 21:39:42 -0700 Subject: [PATCH 08/23] update hklm path --- ...roxy-internet-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 6c9b1b4da5..c497229e55 100644 --- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -45,7 +45,7 @@ Configure a registry-based static proxy to allow only Windows Defender ATP senso The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**. -The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DisableEnterpriseAuthProxy\DataCollection`. +The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`. The registry value `TelemetryProxyServer` takes the following string format: From 8c5ee6e53ed34fcb2fd1d3096c59aeaada9f3067 Mon Sep 17 00:00:00 2001 From: Celeste de Guzman Date: Tue, 27 Jun 2017 11:07:13 -0700 Subject: [PATCH 09/23] removed ms date on page for hub --- education/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/education/index.md b/education/index.md index 4033cef903..f1dbb98cc3 100644 --- a/education/index.md +++ b/education/index.md @@ -5,7 +5,6 @@ title: Microsoft Education documentation and resources | Microsoft Docs description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers. author: CelesteDG ms.author: celested -ms.date: ms.date: 06/12/2017 ---
From ffdfba211abe8cf403b209e67b5262a11d3ec371 Mon Sep 17 00:00:00 2001 From: Nicholas Brower Date: Tue, 27 Jun 2017 21:34:50 +0000 Subject: [PATCH 10/23] Merged PR 1963: Merge nibr-BitLocker-12344168 to master added note about XTS-AES encryption only being supported on desktop --- .../mdm/policy-configuration-service-provider.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index c829fb36e4..e5cb50ad68 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1781,12 +1781,15 @@ ADMX Info:

Specifies the BitLocker Drive Encryption method and cipher strength. +> [!NOTE] +> XTS-AES 128-bit and XTS-AES 256-bit values are only supported on Windows 10 for desktop. +

The following list shows the supported values: -- 3- AES 128-bit -- 4- AES 256 -- 6 -XTS 128 -- 7 - XTS 256 +- 3 - AES-CBC 128-bit +- 4 - AES-CBC 256-bit +- 6 - XTS-AES 128-bit (Desktop only) +- 7 - XTS-AES 256-bit (Desktop only) From ad242b728526302c75bbfaf57fcbb42332e404ae Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Wed, 28 Jun 2017 08:37:24 -0700 Subject: [PATCH 11/23] more 1705 updates --- .../windows-store-for-business-overview.md | 188 +----------------- 1 file changed, 8 insertions(+), 180 deletions(-) diff --git a/store-for-business/windows-store-for-business-overview.md b/store-for-business/windows-store-for-business-overview.md index 430cd5c616..5bc9195325 100644 --- a/store-for-business/windows-store-for-business-overview.md +++ b/store-for-business/windows-store-for-business-overview.md @@ -157,7 +157,8 @@ For more information, see [Manage settings in the Store for Business](manage-set Microsoft Store for Business and Education is currently available in these markets. - -### Support for free and paid apps -

- - - - - - - - - -
Support for free and paid apps
-
    -
  • Algeria
    • -
  • Angola
    • -
  • Argentina
    • -
  • Australia
    • -
  • Austria
    • -
  • Bahamas
    • -
  • Bahrain
    • -
  • Bangladesh
    • -
  • Barbados
    • -
  • Belgium
    • -
  • Belize
    • -
  • Bermuda
    • -
  • Bolivia
    • -
  • Botswana
    • -
  • Brunei Darussalam
    • -
  • Bulgaria
    • -
  • Cameroon
    • -
  • Canada
    • -
  • Republic of Cabo Verde
    • -
  • Cayman Islands
    • -
  • Chile
    • -
  • Colombia
    • -
  • Costa Rica
    • -
  • Côte D'ivoire
    • -
  • Croatia
    • -
  • Curçao
    • -
  • Cyprus
    • -
  • Czech Republic
    • -
  • Denmark
    • -
- 		-
    -
  • Dominican Republic
    • -
  • Ecuador
    • -
  • Egypt
    • -
  • El Salvador
    • -
  • Estonia
    • -
  • Faroe Islands
    • -
  • Fiji
    • -
  • Finland
    • -
  • France
    • -
  • Germany
    • -
  • Ghana
    • -
  • Greece
    • -
  • Guatemala
    • -
  • Honduras
    • -
  • Hong Kong SAR
    • -
  • Hungary
    • -
  • Iceland
    • -
  • Indonesia
    • -
  • Iraq
    • -
  • Ireland
    • -
  • Israel
    • -
  • Italy
    • -
  • Jamaica
    • -
  • Japan
    • -
  • Jordan
    • -
  • Kenya
    • -
  • Kuwait
    • -
  • Latvia
    • -
  • Lebanon
    • -
- 		-
    -
  • Libya
    • -
  • Liechtenstein
    • -
  • Lithuania
    • -
  • Luxembourg
    • -
  • Malaysia
    • -
  • Malta
    • -
  • Mauritius
    • -
  • Mexico
    • -
  • Mongolia
    • -
  • Montenegro
    • -
  • Morocco
    • -
  • Namibia
    • -
  • Netherlands
    • -
  • New Zealand
    • -
  • Nicaragua
    • -
  • Nigeria
    • -
  • Norway
    • -
  • Oman
    • -
  • Pakistan
    • -
  • Palestinian Authority
    • -
  • Panama
    • -
  • Paraguay
    • -
  • Peru
    • -
  • Philippines
    • -
  • Poland
    • -
  • Portugal
    • -
  • Puerto Rico
    • -
  • Qatar
    • -
  • Romania
    • -
- 		-
    -
  • Rwanda
    • -
  • Saint Kitts and Nevis
    • -
  • Saudi Arabia
    • -
  • Senegal
    • -
  • Serbia
    • -
  • Singapore
    • -
  • Slovakia
    • -
  • Slovenia
    • -
  • South Africa
    • -
  • Spain
    • -
  • Sweden
    • -
  • Switzerland
    • -
  • Tanzania
    • -
  • Thailand
    • -
  • Trinidad and Tobago
    • -
  • Tunisia
    • -
  • Turkey
    • -
  • Uganda
    • -
  • United Arab Emirates
    • -
  • United Kingdom
    • -
  • United States
    • -
  • Uruguay
    • -
  • Vietnam
    • -
  • Virgin Islands, U.S.
    • -
  • Zambia
    • -
  • Zimbabwe
          
    • -
-
- ### Support for free apps Customers in these markets can use Microsoft Store for Business and Education to acquire free apps: - India @@ -489,11 +311,17 @@ Customers in these markets can use Microsoft Store for Business and Education to ### Support for free apps and Minecraft: Education Edition Customers in these markets can use Microsoft Store for Business and Education to acquire free apps and Minecraft: Education Edition: - Albania +- Aremenia +- Azerbaijan +- Belarus - Bosnia - Brazil - Georgia +- Kazakhstan - Korea +- Republic of Moldova - Taiwan +- Tajikistan - Ukraine This table summarize what customers can purchase, depending on which Microsoft Store they are using. From 99ada674b6961e47957504972675354b2b4d58ab Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Wed, 28 Jun 2017 15:57:07 +0000 Subject: [PATCH 12/23] Merged PR 1971: Surface Data Eraser updates article updates --- .../surface/microsoft-surface-data-eraser.md | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index b04f01e727..c744876e01 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -23,6 +23,12 @@ Find out how the Microsoft Surface Data Eraser tool can help you securely wipe d Compatible Surface devices include: +- Surface Studio + +- Surface Pro + +- Surface Laptop + - Surface Book - Surface Pro 4 @@ -35,6 +41,9 @@ Compatible Surface devices include: - Surface Pro 2 +>[!NOTE] +>Surface Pro devices with 1 TB storage are not currently supported by Microsoft Surface Data Eraser. + Some scenarios where Microsoft Surface Data Eraser can be helpful include: - Prepare a Surface device to be sent for repair @@ -137,7 +146,20 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo 8. Click the **Yes** button to continue erasing data on the Surface device. -  +## Changes and updates + +Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following: + +### Version 3.2.36 + +This version of Microsoft Surface Data Eraser adds support for the following: + +- Surface Pro + +- Surface Laptop + +>[!NOTE] +>The Microsoft Surface Data Eraser USB drive creation tool is unable to run on Windows 10 S. To wipe a Surface Laptop running Windows 10 S, you must first create the Microsoft Surface Data Eraser USB drive on another computer with Windows 10 Pro or Windows 10 Enterprise.   From e7d0780b9f83acd57fdd60322971ab9297613356 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 28 Jun 2017 16:14:29 +0000 Subject: [PATCH 13/23] Merged PR 1972: Merge maricia-12523476 to master --- .../mdm/configuration-service-provider-reference.md | 10 +++++++--- .../mdm/new-in-windows-mdm-enrollment-management.md | 6 +++++- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 498d52cb2a..b9c1c1cd51 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 06/27/2017 --- # Configuration service provider reference @@ -26,6 +26,10 @@ Additional lists: - [List of CSPs supported in Windows 10 S](#windows10s) The following tables show the configuration service providers support in Windows 10. +Footnotes: +- 1 - Added in Windows 10, version 1607 +- 2 - Added in Windows 10, version 1703 +- 3 - Added in Windows 10, version 1709
@@ -836,8 +840,8 @@ The following tables show the configuration service providers support in Windows cross mark check mark2 check mark2 - check mark2 - check mark2 + cross mark + cross mark diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 46d1d00429..ecc0734eb3 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 06/27/2017 --- # What's new in MDM enrollment and management @@ -1257,6 +1257,10 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).
  • DeviceTagging/Criticality
    • + +[DynamicManagement CSP](dynamicmanagement-csp.md) +The DynamicManagement CSP is not supported in Windows 10 Mobile and Mobile Enterprise. The table of SKU information in the [Configuration service provider reference](configuration-service-provider-reference.md) was updated. + From be8e0cc8dd38b2c9f28d16617c66c0285e731433 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 28 Jun 2017 17:31:50 +0000 Subject: [PATCH 14/23] Merged PR 1978: Merge maricia-12054259 to master --- ...ew-in-windows-mdm-enrollment-management.md | 9 +++-- .../policy-configuration-service-provider.md | 37 ++++++++++++++++++- 2 files changed, 41 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index ecc0734eb3..6076927aba 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/27/2017 +ms.date: 06/28/2017 --- # What's new in MDM enrollment and management @@ -1232,6 +1232,10 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).

    Added the following new policies for Windows 10, version 1709:

      +
    • CredentialProviders/EnableWindowsAutoPilotResetCredentials
      • +
    • DeviceGuard/EnableVirtualizationBasedSecurity
      • +
    • DeviceGuard/RequirePlatformSecurityFeatures
      • +
    • DeviceGuard/LsaCfgFlags
    • Power/DisplayOffTimeoutOnBattery
    • Power/DisplayOffTimeoutPluggedIn
    • Power/HibernateTimeoutOnBattery
      • @@ -1243,9 +1247,6 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).
    • Update/ScheduledInstallFourthWeek
    • Update/ScheduledInstallSecondWeek
    • Update/ScheduledInstallThirdWeek
      • -
    • DeviceGuard/EnableVirtualizationBasedSecurity
      • -
    • DeviceGuard/RequirePlatformSecurityFeatures
      • -
    • DeviceGuard/LsaCfgFlags

    EnterpriseCloudPrint/DiscoveryMaxPrinterLimit is only supported in Windows 10 Mobile and Mobile Enterprise.

    diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index e5cb50ad68..44bf627310 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 06/28/2017 --- # Policy CSP @@ -3762,6 +3762,41 @@ ADMX Info: +**CredentialProviders/EnableWindowsAutoPilotResetCredentials** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark3check mark3check mark3check mark3cross markcross mark
    + + + +Added in Windows 10, version 1709. Boolean policy to enable the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. When the policy is enabled, a WNF notification is generated that would schedule a task to update the visibility of the new provider. The admin user is required to authenticate to trigger the refresh on the target device. + +The auto pilot reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the auto pilot reset is triggered the devices are for ready for use by information workers or students. + +Default value is 0. + + + + **CredentialsUI/DisablePasswordReveal** From b892f70e9d18c2beb3e5f465b9426b63643aa223 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 28 Jun 2017 17:50:35 +0000 Subject: [PATCH 15/23] Merged PR 1981: Merge maricia-12461998 to master --- windows/client-management/mdm/dmclient-csp.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 303c8454a4..e0b8f44952 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -36,7 +36,9 @@ Required. The root node for all settings that belong to a single management serv Supported operation is Get. **Provider/****_ProviderID_** -Optional. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. As a best practice, use text that doesn’t require XML/URI escaping. +Required. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn’t require XML/URI escaping. + +For Intune, use **MS DM Server** for Windows desktop or **SCConfigMgr** for Windows mobile for the _ProviderID_. Supported operations are Get and Add. From d12d7affec2f517ea30d9f335565164c08307ddb Mon Sep 17 00:00:00 2001 From: Matt Nelson Date: Wed, 28 Jun 2017 11:18:18 -0700 Subject: [PATCH 16/23] added ntkd debugger kernel debugger, nearly identical to kd.exe --- .../device-guard/deploy-code-integrity-policies-steps.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 8f0f7d4c6f..6ee22448d8 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -40,6 +40,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - fsi.exe - fsiAnyCpu.exe - kd.exe +- ntkd.exe - lxssmanager.dll - msbuild.exe[1] - mshta.exe @@ -102,6 +103,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + @@ -168,6 +170,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + From fa0157fd954bac1efcde76d556be01e1b1d6bf54 Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Wed, 28 Jun 2017 11:37:59 -0700 Subject: [PATCH 17/23] Surface updates update verson info; update change history doc --- devices/surface/change-history-for-surface.md | 8 ++++++++ .../microsoft-surface-deployment-accelerator.md | 7 +++++++ devices/surface/surface-dock-updater.md | 11 +++++++++++ 3 files changed, 26 insertions(+) diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 1dd7b983ea..33992b2d0a 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -11,6 +11,14 @@ author: jdeckerms This topic lists new and updated topics in the Surface documentation library. +## June 2017 + +|New or changed topic | Description | +| --- | --- | +|[Surface Data Eraser](microsoft-surface-data-eraser.md) | Update compatible devices, added version 3.2.36 information | +|[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md) | Added version 2.0.8.0 information | +|[Surface Dock Updater](surface-dock-updater.md) | Added version 2.1.15.0 information | + ## April 2017 diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md index cc2236665f..f64cc3d1cd 100644 --- a/devices/surface/microsoft-surface-deployment-accelerator.md +++ b/devices/surface/microsoft-surface-deployment-accelerator.md @@ -90,6 +90,13 @@ SDA is periodically updated by Microsoft. For instructions on how these features >[!NOTE] >To install a newer version of SDA on a server with a previous version of SDA installed, you only need to run the installation file for the new version of SDA. The installer will handle the upgrade process automatically. If you used SDA to create a deployment share prior to the upgrade and want to use new features of the new version of SDA, you will need to create a new deployment share. SDA does not support upgrades of an existing deployment share. + +### Version 2.0.8.0 +This version of SDA supports deployment of the following: +* Surface Pro + +>[!NOTE] +>SDA version 2.0.8.0 includes support only for Surface Pro, and does not support other Surface devices such as Surface Pro 4 or Surface Book. To deploy these devices, please continue to use SDA version 1.96.0405.   ### Version 1.96.0405 This version of SDA adds support for the following: diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md index 6c009e69fb..f41c92b26b 100644 --- a/devices/surface/surface-dock-updater.md +++ b/devices/surface/surface-dock-updater.md @@ -111,6 +111,17 @@ Microsoft periodically updates Surface Dock Updater. To learn more about the app >[!Note] >Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater. +### Version 2.1.15.0 +*Release date: June 19, 2017* + +This version of Surface Dock Updater adds support for the following: + +* Surface Laptop +* Surface Pro + +>[!NOTE] +>The Surface Dock Updater tool is unable to run on Windows 10 S. Surface Dock devices used with Surface Laptop with Windows 10 S will receive updates natively through Windows Update. To manually update a Surface Dock for use with Surface Laptop and Windows 10 S, connect the Surface Dock to another Surface device with a Windows 10 Pro or Windows 10 Enterprise environment. + ### Version 1.0.8.0 *Release date: April 26, 2016* From a1823d2e93a2c8b7e6dc6a44340c9e6638f9e5c5 Mon Sep 17 00:00:00 2001 From: arottem Date: Wed, 28 Jun 2017 12:51:01 -0700 Subject: [PATCH 18/23] Update enable-cloud-protection-windows-defender-antivirus.md --- .../enable-cloud-protection-windows-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index d5f456a9fb..4057fe4655 100644 --- a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -18,7 +18,7 @@ author: iaanw **Applies to:** -- Windows 10, version 1703 +- Windows 10 **Audience** @@ -150,4 +150,4 @@ See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](http - [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) - [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) - [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) From fe715f1b0b387134ea3405e1c3acf586c3d8052e Mon Sep 17 00:00:00 2001 From: intothedarkness Date: Wed, 28 Jun 2017 12:53:39 -0700 Subject: [PATCH 19/23] Update copying-the-mbam-25-group-policy-templates.md --- mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md index 8991e9e68f..e76227cb88 100644 --- a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md +++ b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md @@ -16,14 +16,14 @@ ms.prod: w10 Before deploying the MBAM Client installation, you must download the MBAM Group Policy Templates, which contain Group Policy settings that define MBAM implementation settings for BitLocker Drive Encryption. After downloading the templates, you then set the Group Policy settings to implement across your enterprise. ## Downloading and deploying the MDOP Group Policy templates - - MDOP Group Policy templates are available for download in a self-extracting, compressed file, grouped by technology and version. **How to download and deploy the MDOP Group Policy templates** 1. Download the MDOP Group Policy templates from [Microsoft Desktop Optimization Pack Group Policy Administrative Templates -](https://www.microsoft.com/en-us/download/details.aspx?id=54957). +](https://www.microsoft.com/en-us/download/details.aspx?id=55531 + +). 2. Run the downloaded file to extract the template folders. From 3226727009ac757ff3a2018aafe04177c532c087 Mon Sep 17 00:00:00 2001 From: intothedarkness Date: Wed, 28 Jun 2017 12:57:58 -0700 Subject: [PATCH 20/23] Update copying-the-mbam-25-group-policy-templates.md update the AMDX template to new link --- mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md index 8991e9e68f..dab054da3e 100644 --- a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md +++ b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md @@ -23,7 +23,7 @@ MDOP Group Policy templates are available for download in a self-extracting, com **How to download and deploy the MDOP Group Policy templates** 1. Download the MDOP Group Policy templates from [Microsoft Desktop Optimization Pack Group Policy Administrative Templates -](https://www.microsoft.com/en-us/download/details.aspx?id=54957). +](https://www.microsoft.com/en-us/download/details.aspx?id=55531). 2. Run the downloaded file to extract the template folders. From b3be0d2623f464a4cad2659b9ffc5f3909f75d00 Mon Sep 17 00:00:00 2001 From: intothedarkness Date: Wed, 28 Jun 2017 13:03:00 -0700 Subject: [PATCH 21/23] Revert "Update copying-the-mbam-25-group-policy-templates.md" --- mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md index e76227cb88..8991e9e68f 100644 --- a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md +++ b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md @@ -16,14 +16,14 @@ ms.prod: w10 Before deploying the MBAM Client installation, you must download the MBAM Group Policy Templates, which contain Group Policy settings that define MBAM implementation settings for BitLocker Drive Encryption. After downloading the templates, you then set the Group Policy settings to implement across your enterprise. ## Downloading and deploying the MDOP Group Policy templates + + MDOP Group Policy templates are available for download in a self-extracting, compressed file, grouped by technology and version. **How to download and deploy the MDOP Group Policy templates** 1. Download the MDOP Group Policy templates from [Microsoft Desktop Optimization Pack Group Policy Administrative Templates -](https://www.microsoft.com/en-us/download/details.aspx?id=55531 - -). +](https://www.microsoft.com/en-us/download/details.aspx?id=54957). 2. Run the downloaded file to extract the template folders. From 9c86a5d9b43513ef147f3f3492923b8c8e1a8d17 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 28 Jun 2017 20:05:11 +0000 Subject: [PATCH 22/23] Merged PR 1985: Merge maricia-12544946 to master --- ...ew-in-windows-mdm-enrollment-management.md | 1 - .../mdm/policymanager-csp.md | 947 +----------------- 2 files changed, 3 insertions(+), 945 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 6076927aba..d71053ae18 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -969,7 +969,6 @@ The software version information from **DevDetail/SwV** does not match the versi - In the SyncML, you must use lowercase product ID. - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error. - For additional details, see [ApplicationRestrictions in PolicyManager CSP](policymanager-csp.md#applicationmanagement-applicationrestrictions). - Silverlight xaps may not install even if publisher policy is specified using Windows Phone 8.1 publisher rule. For example, Silverlight app "Level" will not install even if you specify <Publisher PublisherName=”Microsoft Corporation” />. diff --git a/windows/client-management/mdm/policymanager-csp.md b/windows/client-management/mdm/policymanager-csp.md index d72dde44b5..a888021e38 100644 --- a/windows/client-management/mdm/policymanager-csp.md +++ b/windows/client-management/mdm/policymanager-csp.md @@ -7,957 +7,16 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 06/28/2017 --- # PolicyManager CSP -The PolicyManager configuration service provider enables the enterprise to configure company policies on Windows 10 Mobile. +PolicyManager CSP is deprecated. Use [Policy CSP](policy-configuration-service-provider.md) instead. -> **Note**   The PolicyManager CSP is supported in Windows 10 Mobile for backward compatibility. For Windows 10 devices you should use [Policy CSP](policy-configuration-service-provider.md), which replaces PolicyManager CSP. You can continue to use PolicyManager CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices. The PolicyManager CSP will be deprecated some time in the future. +> **Note**   The PolicyManager CSP is supported in Windows 10 Mobile for backward compatibility. For Windows 10 devices you should use [Policy CSP](policy-configuration-service-provider.md), which replaces PolicyManager CSP. You can continue to use PolicyManager CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices. -  - -The PolicyManager CSP has the following sub-categories: - -- PolicyManager/My/*AreaName* – Handles the policy configuration request from the server. - -- PolicyManager/Device/*AreaName* – Provides a read-only path to policies enforced on the device. - -The configuration policies for the same *AreaName* must be wrapped in an Atomic command. - -The following image shows the PolicyManager configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. - -![provisioning\-csp\-policymanager](images/provisioning-csp-policymanager.png) - -The following list describes the characteristics and parameters. - -**./Vendor/MSFT/PolicyManager** -The root node for the PolicyManager configuration service provider. - -Supported operation is Get. - -**My** -Node for policies for a specific provider that can be retrieved, modified, or deleted. - -Supported operation is Get. - -**My/****_<AreaName>_** -The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. - -Supported operations are Add, Get, and Delete. - -**My/_<AreaName>_/****_<PolicyName>_** -Specifies the name/value pair used in the policy. The following list shows some tips to help you when configuring policies: - -- Separate multistring values by the Unicode &\#xF000; in the XML file. - -- End multistrings with &\#xF000; For example, One string&\#xF000;two string&\#xF000;red string&\#xF000;blue string&\#xF000;&\#xF000;. Note that a query from different caller could provide a different value as each caller could have different values for a named policy. - -- In Syncml, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction. - -- Supported operations are Add, Get, Delete, and Replace. - -- Value type is string. - -For possible area and policy names, see [Supported company policies](#bkmk-supportedpolicies) below. - -**Device** -Groups the evaluated policies from all providers that can be configured. Supported operations is Get. - -**Device/****_<AreaName>_** -The area group that can be configured by a single technology independent of the providers. Supported operation is Get. - -**Device/_<AreaName>_/****_<PolicyName>_** -Specifies the name/value pair used in the policy. Supported operation is Get. - -## List of *<AreaName>*/*<PolicyName>* - - -**DeviceLock/DevicePasswordEnabled** -Specifies whether device lock is enabled. - -The following list shows the supported values: - -- 0 (default) - Enabled - -- 1 – Disabled - -> **Important**   ->The DevicePasswordEnabled setting must be set to 0 (device password is enabled) for the following settings to take effect: -> -> - AllowSimpleDevicePassword -> - MinDevicePasswordLength -> - AlphanumericDevicePasswordRequired -> - MaxDevicePasswordFailedAttempts -> - MaxInactivityTimeDeviceLock -> - MinDevicePasswordComplexCharacters - -  - -Supported via MDM and EAS - -EAS policy name - DevicePasswordEnabled - -Min policy value is the most restricted - -**DeviceLock/AllowSimpleDevicePassword** -Specifies whether passwords like “1111” or “1234” are allowed. - -The following list shows the supported values: - -- 0 - Not allowed. - -- 1 (default) – Allowed. - -Supported via MDM and EAS - -EAS policy name - AllowSimpleDevicePassword - -Min policy value is the most restricted - -**DeviceLock/MinDevicePasswordLength** -Specifies the minimum number or characters required in the PIN. - -The following list shows the supported values: - -- An integer X where - - 4 <= X <= 16. - -- 0- Not enforced. - -- Default: 4. - -Supported via MDM and EAS - -EAS policy name - MinDevicePasswordLength - -Max policy value is the most restricted - -**DeviceLock/AlphanumericDevicePasswordRequired** -Determines the type of password required. This policy only applies if DevicedPasswordEnabled policy is set to 0 (required). - -The following list shows the supported values: - -- 0 - Alphanumeric password required. - -- 1 - Numeric password required. - -- 2 (default) - Users can choose: Numeric Password, or Alphanumeric Password. - -Supported via MDM and EAS - -EAS policy name - AlphanumericDevicePasswordRequired - -Min policy value is the most restricted - -**DeviceLock/DevicePasswordExpiration** -Specifies when the password expires (in days). - -The following list shows the supported values: - -- An integer X where - - 0 <= X <= 730. - -- 0 (default) - Passwords do not expire. - -Supported via MDM and EAS - -EAS policy name - DevicePasswordExpiration - -If all policy values = 0 then 0; otherwise, Min policy value is the most secure value - -**DeviceLock/DevicePasswordHistory** -Specifies how many passwords can be stored in the history that can’t be used. - -The following list shows the supported values: - -- An integer X where - - 0 <= X <=50. - -- Default: 0 - -Supported via MDM and EAS - -EAS policy name - DevicePasswordHistory - -Max policy value is the most restricted - -**DeviceLock/MaxDevicePasswordFailedAttempts** -The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. - -The following list shows the supported values: - -- An integer X where - - 0 <= X <= 999. - -- Default: 0. The device is never wiped after wrong passwords are entered. - -Supported via MDM and EAS - -EAS policy name - MaxDevicePasswordFailedAttempts - -If all policy values = 0 then 0; otherwise, Min policy value is the most restricted value. - -**DeviceLock/MaxInactivityTimeDeviceLock** -Specifies the amount of time (in minutes) after the device is idle that will cause the device to become password locked. - -The following list shows the supported values: - -- An integer X where - - 0 <= X <= 999. - -- 0 (default) - No timeout is defined. The default of "0" is Mango parity and is interpreted by as "No timeout is defined." - -Supported via MDM and EAS - -EAS policy name - MaxInactivityTimeDeviceLock - -Min policy value (except ‘0’) is the most restricted value. - -**DeviceLock/MinDevicePasswordComplexCharacters** -The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password. - -The following list shows the supported values: - -- An integer X where - - 1 <= X <= 4. - -The default value is 1. - -Supported via MDM and EAS. - -EAS policy name - MinDevicePasswordComplexCharacters - -Max policy value is the most restricted - -**DeviceLock/AllowIdleReturnWithoutPassword** -Force the user to input password every time the device returns from an idle state. - -> **Note**  This policy is only supported in Windows 10 Mobile. - -  - -The following list shows the supported values: - -- 0 - user is not able to set the password grace period timer, and the value is set as "each time." - - 1 (default) - user is able to set the password grace period timer. - -Supported via MDM and EAS. - -Most restricted value is 0. - -**WiFi/AllowWiFi** -Allow or disallow Wi-Fi connection. (Configurable by Exchange as well – definition will be consistent with EAS definition.) - -> **Note**  The policy is only supported in Windows 10 Mobile. - -  - -The following list shows the supported values: - -- 0 – Use Wi-Fi connection is disallowed. - -- 1 (default) – Use Wi-Fi connection is allowed. - -Supported via MDM and EAS. - -EAS policy name - AllowWiFi - -Most restricted value is 0. - -**WiFi/AllowInternetSharing** -Allow or disallow internet sharing. - -(Configurable by Exchange as well – definition will be consistent with EAS definition.) - -The following list shows the supported values: - -- 0 – Do not allow the use of Internet Sharing. - -- 1 (default) – Allow the use of Internet Sharing. - -Supported via MDM and EAS. - -EAS policy name - AllowInternetSharing - -Most restricted value is 0. - -**WiFi/AllowAutoConnectToWiFiSenseHotspots** -Allow or disallow the device to automatically connect to Wi-Fi hotspots and friend social network. - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Most restricted value is 0. - -**WiFi/AllowWiFiHotSpotReporting** -Allow or disallow Wi-Fi Hotspot information reporting to Microsoft. Once disallowed, the user cannot turn it on. - -The following list shows the supported values: - -- 0 – HotSpot reporting is not allowed. - -- 1 (default) – HotSpot reporting is allowed. - -Most restricted value is 0. - -**WiFi/AllowManualWiFiConfiguration** -Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. - -> **Note**  The policy is only supported in Windows 10 Mobile. - -  - -The following list shows the supported values: - -- 0 – No Wi-Fi connection outside of MDM provisioned network is allowed. - -- 1 (default) – Adding new network SSIDs beyond the already MDM provisioned ones is allowed. - -Most restricted value is 0. - -**Connectivity/AllowNFC** -Allow or disallow near field communication (NFC) on the device. - -> **Note**  This policy is only supported in Windows 10 Mobile. - -  - -The following list shows the supported values: - -- 0 – Do not allow NFC capabilities. - -- 1 (default) – Allow NFC capabilities. - -Most restricted value is 0. - -**Connectivity/AllowCellularDataRoaming** -Allows or disallows cellular data roaming on the device. - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Most restricted value is 0. - -**Connectivity/AllowUSBConnection** -Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. - -Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. - -> **Note**  This policy is only supported in Windows 10 Mobile. - -  - -The following list shows the supported values: - -- 0 - Not allowed. - -- 1 (default) - Allowed. - -Most restricted value is 0. - -**Connectivity/AllowVPNOverCellular** -This policy specifies what type of underlying connections VPN is allowed to use. - -The following list shows the supported values: - -- 0 - VPN is not allowed over cellular. - -- 1 (default) – VPN could use any connection including cellular. - -Most restricted value is 0. - -**Connectivity/AllowVPNRoamingOverCellular** -This policy, when enforced, will prevent the device from connecting VPN when the device roams over cellular networks. - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) - Allowed. - -Most restricted value is 0. - -**Connectivity/AllowBluetooth** -Allow the user to enable Bluetooth or restrict access. - -The following list shows the possible values: - -- 0 – Disable Bluetooth. - -- 1 – Not supported in Windows 10 Mobile for MDM and EAS Disable Bluetooth, but allow the configuration of hands-free profiles. - -- 2 (default) – Allow Bluetooth. - -Supported via MDM and EAS. - -EAS policy name - AllowBluetooth - -Most restricted value is 0. - -**System/AllowStorageCard** -Controls whether the user is allowed to use the storage card for device storage. This setting does not prevent programmatic access to the storage card, it only prevents the user from using the card as a storage location. - -The following list shows the supported values: - -- 0 – SD card use is not allowed. This does not prevent programmatic access to the storage card. - -- 1 (default) – Allow a storage card. - -EAS policy name - AllowStorageCard - -Most restricted value is 0. - -**System/AllowLocation** -Specifies whether to allow a location service. - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Most restricted value is 0. - -**System/AllowTelemetry** -Allow the device to send telemetry information (such as Software Quality Management (SQM) and Watson). - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 – Allowed, except for Secondary Data Requests. - -- 2 (default) – Allowed. - -Most restricted value is 0. - -**System/AllowUserToResetPhone** -Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination. - -> **Note**  This policy is only supported in Windows 10 Mobile. - -  - -The following list shows the possible values: - -- 0 - Not allowed. - -- 1 (default) - Allowed to reset to factory default settings. - -Most restricted value is 0. - -**Experience/AllowSaveAsOfOfficeFiles** -Specifies whether the user is allowed to save a file on the device as an office file. - -> **Note**  This policy is not supported and deprecated in Windows 10. - -  - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Most restricted value is 0. - -**Experience/AllowCopyPaste** -Specifies whether copy and paste is allowed. - -> **Note**  This policy is only supported in Windows 10 Mobile. - -  - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Most restricted value is 0. - -**Experience/AllowScreenCapture** -Specifies whether screen capture is allowed. - -> **Note**  This policy is only supported in Windows 10 Mobile. - -  - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Most restricted value is 0. - -**Experience/AllowVoiceRecording** -Specifies whether voice recording is allowed. - -> **Note**  This policy is only supported in Windows 10 Mobile. - -  - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Most restricted value is 0. - -**Experience/AllowCortana** -Specifies whether Cortana is allowed on the device. - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Most restricted value is 0. - -**Experience/AllowSyncMySettings** -Allows the enterprise to disallow roaming settings among devices (in/from a device). If not enforced, whether or not roaming is allowed may depend on other factors. - -The following list shows the supported values: - -- 0 – Roaming is not allowed. - -- 1 (default) – The enterprise does not enforce roaming restrictions. - -Most restricted value is 0. - - **Experience/AllowManualMDMUnenrollment** -Specifies whether to allow the user to delete the workplace account using the workplace control panel. The MDM server can always remotely delete the account. - -- 0 - Not allowed server. - -- 1 – Allowed. - -Most restricted value is 0. - - **Experience/AllowSharingOfOfficeFiles** -Specifies whether the user is allowed to share Office files. - -The following list shows the supported values: - -> **Note**  This policy is not supported in Windows 10. - -  - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Most restricted value is 0. - -**Accounts/AllowMicrosoftAccountConnection** -Specifies whether user is allowed to use an MSA account for non-email related connection authentication and services. - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Most restricted value is 0. - -**Accounts/AllowAddingNonMicrosoftAccountsManually** -Specifies whether user is allowed to add non-MSA email accounts. - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Most restricted value is 0. - -**Security/AllowManualRootCertificateInstallation** -Specifies whether the user is allowed to manually install root and intermediate CAP certificates. - -> **Note**  This policy is only supported in Windows 10 Mobile. - -  - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Most restricted value is 0. - -**Security/RequireDeviceEncryption** -Allows enterprise to turn on internal storage encryption. Note that once turned on, it cannot be turned off via policy. - -The following list shows the supported values: - -- 0 (default) – Encryption is not required. - -- 1 – Encryption is required. - -Supported via MDM and EAS. - -EAS policy name - RequireDeviceEncryption - -Most restricted value is 1. - -**Browser/AllowBrowser** -Specifies whether Internet Explorer is allowed in the device. - -> **Note**  This policy in only supported in Windows 10 Mobile. - -  - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Supported via MDM and EAS. - -EAS policy name - AllowBrowser - -Most restricted value is 0. - -**Camera/AllowCamera** -Disables or enables the camera. - -The following list shows the supported values: - -- 0 – Use of camera is disallowed. - -- 1 (default) – Use of camera is allowed. - -Most restricted value is 0. - -**ApplicationManagement/AllowStore** -Specifies whether app store is allowed at the device. - -> **Note**  This policy is only supported in Windows 10 Mobile. - -  - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Most restricted value is 0. - -**ApplicationManagement/ApplicationRestrictions** -An XML blob that specifies the application restrictions company want to put to the device. It could be app allow list, app disallow list, allowed publisher IDs, etc. An application that is running may not be immediately terminated. - -> **Note**  This policy is only supported in Windows 10 Mobile. - -  - -> **Note**  List of known issues: -- When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps. - - Here's additional guidance for the upgrade process: - - - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents). - - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it. - - In the SyncML, you must use lowercase product ID. - - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error. - - For a sample SyncML, see [Examples](#examples). - -- You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents). -- When ApplicationManagement/ApplicationRestrictions policy is deployed to Windows 10 Mobile, installation and update of apps dependent on Microsoft Frameworks may get blocked with error 0x80073CF9. To work around this issue, you must include the Microsoft Framework Id to your list of allowed apps. - - ``` syntax - - ``` - -  - -Value type is chr. - -Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies. - -**ApplicationManagement/AllowDeveloperUnlock** -Specifies whether developer unlock is allowed at the device. - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Most restricted value is 0. - -**Search/AllowSearchToUseLocation** -Specifies whether search could leverage location information. - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Most restricted value is 0. - -**Search/SafeSearchPermissions** -Specifies what level of safe search (filtering adult content) is required. - -> **Note**  This policy is only supported in Windows 10 Mobile. - -  - -The following list shows the supported values: - -- 0 – Strict, highest filtering against adult content. - -- 1 (default) – Moderate filtering against adult content (valid search results will not be filtered. - -Most restricted value is 0. - -**Search/AllowStoringImagesFromVisionSearch** -Specifies whether to allow Bing Vision to store the contents of the images captured when performing Bing Vision search. - -> **Note**  This policy is not supported in Windows 10. - -  - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Most restricted value is 0. - -**AboveLock/AllowActionCenterNotifications** -Specifies whether to allow action center notifications above the device lock screen. - -> **Note**  This policy is only supported in Windows 10 Mobile. - -  - -The following list shows the supported values: - -- 0 – Not allowed. - -- 1 (default) – Allowed. - -Most restricted value is 0. - -## Examples - - -Here is an example SyncML for ApplicationRestrictions for adding all the inbox apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents). - -``` syntax - - - - 144-0 - - 144-1 - - - ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions - - - chr - text/plain - - -<AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"> -<Allow> - - <!-- Alarms and clock --> - <App ProductId="{44f7d2b4-553d-4bec-a8b7-634ce897ed5f}" /> - <!--Calculator --> - <App ProductId="{b58171c6-c70c-4266-a2e8-8f9c994f4456}" /> - <!--Camera --> - <App ProductId="{f0d8fefd-31cd-43a1-a45a-d0276db069f1}" /> - - <App ProductId="{0db5fcff-4544-458a-b320-e352dfd9ca2b}" /> - <!--Cortana --> - <App ProductId="{fd68dcf4-166f-4c55-a4ca-348020f71b94}" /> - <!--Excel --> - <App ProductId="{ead3e7c0-fae6-4603-8699-6a448138f4dc}" /> - <!--Facebook --> - <App ProductId="{82a23635-5bd9-df11-a844-00237de2db9e}" /> - <!--File Explorer --> - <App ProductId="{c5e2524a-ea46-4f67-841f-6a9465d9d515}" /> - <!--FM Radio --> - <App ProductId="{f725010e-455d-4c09-ac48-bcdef0d4b626}" /> - <!--Get Started --> - <App ProductId="{b3726308-3d74-4a14-a84c-867c8c735c3c}" /> - <!--Groove Music --> - <App ProductId="{d2b6a184-da39-4c9a-9e0a-8b589b03dec0}" /> - <!--Maps --> - <App ProductId="{ed27a07e-af57-416b-bc0c-2596b622ef7d}" /> - - <!--Messaging --> - <App ProductId="{27e26f40-e031-48a6-b130-d1f20388991a}" /> - <!--Microsoft Edge --> - <App ProductId="{395589fb-5884-4709-b9df-f7d558663ffd}" /> - <!--Money --> - <App ProductId="{1e0440f1-7abf-4b9a-863d-177970eefb5e}" /> - <!--Movies and TV --> - <App ProductId="{6affe59e-0467-4701-851f-7ac026e21665}" /> - <!--News --> - <App ProductId="{9c3e8cad-6702-4842-8f61-b8b33cc9caf1}" /> - <!--OneDrive --> - <App ProductId="{ad543082-80ec-45bb-aa02-ffe7f4182ba8}" /> - <!--OneNote --> - <App ProductId="{ca05b3ab-f157-450c-8c49-a1f127f5e71d}" /> - <!--Outlook Mail Calendar --> - <App ProductId="{a558feba-85d7-4665-b5d8-a2ff9c19799b}" /> - <!--People --> - <App ProductId="{60be1fb8-3291-4b21-bd39-2221ab166481}" /> - <!--Phone (dialer) --> - <App ProductId="{f41b5d0e-ee94-4f47-9cfe-3d3934c5a2c7}" /> - <!--Photos --> - <App ProductId="{fca55e1b-b9a4-4289-882f-084ef4145005}" /> - - <!--Podcasts --> - <App ProductId="{c3215724-b279-4206-8c3e-61d1a9d63ed3}" /> - <!--Powerpoint --> - <App ProductId="{b50483c4-8046-4e1b-81ba-590b24935798}" /> - <!--Settings --> - <App ProductId="{2a4e62d8-8809-4787-89f8-69d0f01654fb}" /> - <!--Skype --> - <App ProductId="{c3f8e570-68b3-4d6a-bdbb-c0a3f4360a51}" /> - <!--Skype Video GUID is same as Messaging --> - <!--Sports --> - <App ProductId="{0f4c8c7e-7114-4e1e-a84c-50664db13b17}" /> - <!--Storage --> - <App ProductId="{5b04b775-356b-4aa0-aaf8-6491ffea564d}" /> - <!--Store --> - <App ProductId="{7d47d89a-7900-47c5-93f2-46eb6d94c159}" /> - - <!--Voice recorder --> - <App ProductId="{7311b9c5-a4e9-4c74-bc3c-55b06ba95ad0}" /> - <!--Wallet --> - <App ProductId="{587a4577-7868-4745-a29e-f996203f1462}" /> - <!--Weather --> - <App ProductId="{63c2a117-8604-44e7-8cef-df10be3a57c8}" /> - - <App ProductId="{7604089d-d13f-4a2d-9998-33fc02b63ce3}" /> - <!--Word --> - <App ProductId="{258f115c-48f4-4adb-9a68-1387e634459b}" /> - <!--Xbox --> - <App ProductId="{b806836f-eebe-41c9-8669-19e243b81b83}" /> - - <!-- CloudExperienceHost --> - <App ProductId="{3a4fae89-7b7e-44b4-867b-f7e2772b8253}" /> - <!-- AAD BrokerPlugin --> - <App ProductId="{e5f8b2c4-75ae-45ee-9be8-212e34f77747}" /> - <!-- Ringtone --> - <App ProductId="{3e962450-486b-406b-abb5-d38b4ee7e6fe}" /> - <!-- Advanced Info --> - <App ProductId="{b6e3e590-9fa5-40c0-86ac-ef475de98e88}" /> - <!-- Glance --> - <App ProductId="{106e0a97-8b19-42cf-8879-a8ed2598fcbb}" /> - <!-- Connect --> - <App ProductId="{af7d2801-56c0-4eb1-824b-dd91cdf7ece5}" /> - <!-- Miracast View --> - <App ProductId="{906beeda-b7e6-4ddc-ba8d-ad5031223ef9}" /> - <!-- PrintDialog --> - <App ProductId="{0d32eeb1-32f0-40da-8558-cea6fcbec4a4}" /> - - <!-- Music downloads--> - <App ProductId="{3da8a0c1-f7e5-47c0-a680-be8fd013f747}" /> - <!-- App downloads--> - <App ProductId="{20bf77a0-19c7-4daa-8db5-bc3dfdfa44ac}" /> - <!-- Podcast downloads--> - <App ProductId="{063773e7-f26f-4a92-81f0-aa71a1161e30}" /> - <!-- Email and accounts--> - <App ProductId="{39cf127b-8c67-c149-539a-c02271d07060}" /> - <!-- Assigned Access Lock app--> - <App ProductId="{b84f4722-313e-4f85-8f41-cf5417c9c5cb}" /> - <!-- Windows Hello Setup--> - <App ProductId="{01293c37-72ec-3c8b-0eb3-1de4f7d0cdc4}" /> - <!-- Purchase Dialog--> - <App ProductId="{c60e79ca-063b-4e5d-9177-1309357b2c3f}" /> - <!-- Xbox Identity Provider--> - <App ProductId="{ba88225b-059a-45a2-a8eb-d3580283e49d}" /> - <!-- Block and Filter--> - <App ProductId="{59553c14-5701-49a2-9909-264d034deb3d}" /> - <!-- Sharing--> - <App ProductId="{b0894dfd-4671-4bb9-bc17-a8b39947ffb6}" /> - <!-- Setup wizard--> - <App ProductId="{07d87655-e4f0-474b-895a-773790ad4a32}" /> - <!-- Phone Reset Dialog--> - <App ProductId="{2864278d-09b5-46f7-b502-1c24139ecbdd}" /> - <!-- SaveRingtone--> - <App ProductId="{d8cf8ec7-ec6d-4892-aab9-1e3a4b5fa24b}" /> - <!-- HAP Update Background Worker--> - <App ProductId="{73c73cdd-4dea-462c-bd83-fa983056a4ef}" /> - <!-- Windows Default Lock Screen--> - <App ProductId="{cdd63e31-9307-4ccb-ab62-1ffa5721b503}" /> - <!-- navigation bar--> - <App ProductId="{2cd23676-8f68-4d07-8dd2-e693d4b01279}" /> - <!-- SSMHost--> - <App ProductId="{e232aa77-2b6d-442c-b0c3-f3bb9788af2a}" /> - <!-- Bing lock images--> - <App ProductId="{5f28c179-2780-41df-b966-27807b8de02c}" /> - <!-- CertInstaller--> - <App ProductId="{4c4ad968-7100-49de-8cd1-402e198d869e}" /> - <!-- Age Out Worker--> - <App ProductId="{09296e27-c9f3-4ab9-aa76-ecc4497d94bb}" /> - <!-- EnterpriseInstall App--> - <App ProductId="{da52fa01-ac0f-479d-957f-bfe4595941cb}" /> - <!-- Hands-Free Activation--> - <App ProductId="{df6c9621-e873-4e86-bb56-93e9f21b1d6f}" /> - <!-- Hands-Free Activation--> - <App ProductId="{72803bd5-4f36-41a4-a349-e83e027c4722}" /> - - - <!--Field Medic --> - <App ProductId="{73c58570-d5a7-46f8-b1b2-2a90024fc29c}" /> - <!--Windows Insider --> - <App ProductId="{ed2b1421-6414-4544-bd8d-06d58ee402a5}" /> - - <!-- Microsoft Frameworks --> - <App ProductId="{00000000-0000-0000-0000-000000000000}" PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" /> - - </Allow> -</AppPolicy> - - - - - - - - -``` - -## Related topics - - -[Configuration service provider reference](configuration-service-provider-reference.md) - -  - -  From 85a1a568ca034c35f3bbc26803c947f59fcd73ad Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 28 Jun 2017 23:16:46 +0000 Subject: [PATCH 23/23] Merged PR 1994: Publishing a Windows AutoPilot (new topic) should go live tomorrow --- windows/deployment/windows-10-auto-pilot.md | 107 ++++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100644 windows/deployment/windows-10-auto-pilot.md diff --git a/windows/deployment/windows-10-auto-pilot.md b/windows/deployment/windows-10-auto-pilot.md new file mode 100644 index 0000000000..da64ff50b4 --- /dev/null +++ b/windows/deployment/windows-10-auto-pilot.md @@ -0,0 +1,107 @@ +--- +title: Overview of Windows AutoPilot +description: This topic goes over Auto-Pilot and how it helps setup OOBE Windows 10 devices. +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +localizationpriority: high +ms.sitesec: library +ms.pagetype: deploy +author: DaniHalfin +--- + +# Overview of Windows AutoPilot + +**Applies to** + +- Windows 10 + +Windows AutoPilot is a collection of technologies used to setup and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows AutoPilot to reset, repurpose and recover devices.
    +This solution enables the IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. + +## Benefits of Windows AutoPilot + +Traditionally, IT Pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows AutoPilot introduces a new approach. + +From the users' perspective, it only takes a few simple operations to make their device ready to use. + +From the IT Pros' perspective, the only interaction required from the end-user, is to connect to a network and to verify their credentials. Everything past that is automated. + +Windows AutoPilot allows you to: +* Automatically join devices to Azure Active Directory +* Auto-enroll devices into MDM services, such as Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)) +* Restrict the Administrator account creation +* Create and auto-assign devices to configuration groups based on the devices' profile +* Customize OOBE content specific to the organization + +### Prerequisites + +* [Devices must be registered to the organization](#registering-devices-to-your-organization) +* Devices have to be pre-installed with Windows 10, version 1703 or later +* Devices must have access to the internet +* [Azure AD premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features) +* Microsoft Intune or other MDM services to manage your devices + +## Windows AutoPilot Scenarios + +### Cloud-Driven + +The Cloud-Driven scenario enables you to pre-register devices through the Windows AutoPilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side. + +#### The Windows AutoPilot Deployment Program experience + +The end user unboxes and turns on a new device. What follows are a few simple configuration steps: +* Select a language and keyboard layout +* Connect to the network +* Provide email address (the email of the user's Azure Active Directory account) and password + +Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure Active Directory, enrolled in Microsoft Intune (or any other MDM service). + +MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date. + +
    + + +#### Registering devices to your organization + +In order to register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. + +If you would like to capture that information by yourself, the following PowerShell script will generate a text file with the device's hardware ID. + +```PowerShell +$wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'" +$wmi.DeviceHardwareData | Out-File "$($env:COMPUTERNAME).txt" +``` +>[!NOTE] +>This PowerShell script requires elevated permissions. The output format might not fit the upload method. Check out the [Microsoft Store for Business](/microsoft-store/add-profile-to-devices) or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) for additional guidance. + +By uploading this information to the Microsoft Store for Business or Partner Center admin portal, you'll be able to assign devices to your organization. +Additional options and customization is available through these portals to pre-configure the devices. + +Options available for Windows 10, Version 1703: +* Skipping Work or Home usage selection (*Automatic*) +* Skipping OEM registration, OneDrive and Cortana (*Automatic*) +* Skipping privacy settings +* Preventing the account used to set-up the device from getting local administrator permissions + +Additional options we are working on for the next Windows 10 release: +* Skipping EULA +* Personalizing the setup experience +* MDM Support + +To see additional details on how to customize the OOBE experience and how to follow this process, see guidance for [Microsoft Store for Business](/microsoft-store/add-profile-to-devices) or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). + +### IT-Driven + +If you are planning to use to configure these devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with WCD, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). + +### Teacher-Driven + +If you're an IT Pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](http://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details. + +## Ensuring your device can be auto-enrolled to MDM + +In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Intune, please follow [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details. + +>[!NOTE] +>MDM Auto-enrollment requires an Azure AD Premium P1 or P2 subscription. \ No newline at end of file