deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into repo_sync_working_branch

Browse Source
This commit is contained in:
Thomas Raya
2022-05-20 09:59:52 -07:00
committed by GitHub
parent 8c02596815 aae4d8eff7
commit eb73a2fb85
13 changed files with 153 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
windows/client-management/mdm/cmpolicyenterprise-csp.md
View File

@ -14,6 +14,16 @@ ms.date: 06/26/2017
# CMPolicyEnterprise CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|No|No|
|Education|No|No|
The CMPolicyEnterprise configuration service provider is used by the enterprise to define rules that the Connection Manager uses to identify the correct connection for a connection request.
> [!NOTE]
@ -21,9 +31,12 @@ The CMPolicyEnterprise configuration service provider is used by the enterprise
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies
**Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phones default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
**Default Policies**: Policies are applied in the order of their scope with the most specific policies considered before the more general policies. The phones default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
The following shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
@ -72,7 +85,8 @@ Specifies whether the list of connections is in preference order.
A value of "0" specifies that the connections aren't listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
<a href="" id="connxxx"></a>**Conn**<strong>*XXX*</strong>
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits that increment starting from "000". For example, a policy applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three-digits, which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
<a href="" id="connectionid"></a>**ConnectionID**
Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter.
@ -91,7 +105,6 @@ For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. Th
|Wi-Fi hotspot|{072FC7DC-1D93-40D1-9BB0-2114D7D73434}|
For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
|Network type|GUID|
@ -133,7 +146,6 @@ Specifies the type of connection being referenced. The following list describes
## OMA client provisioning examples
Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
```xml
@ -227,7 +239,6 @@ Adding a host-based mapping policy. In this example, the ConnectionId for type C
## OMA DM examples
Adding an application-based mapping policy:
```xml
@ -364,7 +375,6 @@ Adding a host-based mapping policy:
## Microsoft Custom Elements
|Element|Available|
|--- |--- |
|parm-query|Yes|
@ -373,7 +383,6 @@ Adding a host-based mapping policy:
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

1
windows/client-management/mdm/customdeviceui-csp.md
View File

@ -42,7 +42,6 @@ Package Full Name of the application that needs to be launched in the background
## SyncML examples
**Set StartupAppID**
```xml

48
windows/client-management/mdm/defender-csp.md
View File

@ -15,6 +15,14 @@ ms.date: 02/22/2022
# Defender CSP
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@ -355,7 +363,7 @@ Network Protection inspects DNS traffic that occurs over a UDP channel, to provi
<a href="" id="enablenetworkprotection-disablehttpparsing"></a>**EnableNetworkProtection/DisableHttpParsing**
Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@ -365,7 +373,7 @@ Network Protection inspects HTTP traffic to see if a connection is being made to
<a href="" id="enablenetworkprotection-disablerdpparsing"></a>**EnableNetworkProtection/DisableRdpParsing**
Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@ -375,7 +383,7 @@ Network Protection inspects RDP traffic so that it can block connections from kn
<a href="" id="enablenetworkprotection-disablesshparsing"></a>**EnableNetworkProtection/DisableSshParsing**
Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@ -385,7 +393,7 @@ Network Protection inspects SSH traffic, so that it can block connections from k
<a href="" id="enablenetworkprotection-disabletlsparsing"></a>**EnableNetworkProtection/DisableTlsParsing**
Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@ -594,11 +602,13 @@ An interior node to group Windows Defender configuration information.
Supported operation is Get.
<a href="" id="configuration-tamperprotection"></a>**Configuration/TamperProtection**
Tamper protection helps protect important security features from unwanted changes and interference. This protection includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions.
Send off blob to device to reset the tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune.
The data type is a Signed blob.
The data type is a Signed BLOB.
Supported operations are Add, Delete, Get, Replace.
@ -610,7 +620,7 @@ Intune tamper protection setting UX supports three states:
When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
<a href="" id="configuration-disablelocaladminmerge"></a>**Configuration/DisableLocalAdminMerge**<br>
This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions.
This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusion list.
If you disable or don't configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, management settings will override preference settings.
@ -630,6 +640,7 @@ Valid values are:
- 0 (default) Disable.
<a href="" id="configuration-hideexclusionsfromlocaladmins"></a>**Configuration/HideExclusionsFromLocalAdmins**<br>
This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled.
If you disable or don't configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell.
@ -643,18 +654,19 @@ Supported OS versions: Windows 10
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 Enable.
- 0 (default) Disable.
<a href="" id="configuration-disablecputhrottleonidlescans"></a>**Configuration/DisableCpuThrottleOnIdleScans**<br>
Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag will have no impact and normal throttling will occur.
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 (default) Enable.
@ -665,7 +677,7 @@ Allow managed devices to update through metered connections. Data charges may ap
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 Enable.
@ -676,7 +688,7 @@ This settings controls whether Network Protection is allowed to be configured in
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 Enable.
@ -687,7 +699,7 @@ Allows an administrator to explicitly disable network packet inspection made by
The data type is string.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
<a href="" id="configuration-enablefilehashcomputation"></a>**Configuration/EnableFileHashComputation**
Enables or disables file hash computation feature.
@ -695,7 +707,7 @@ When this feature is enabled, Windows Defender will compute hashes for files it
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 Enable.
@ -706,7 +718,7 @@ The support log location setting allows the administrator to specify where the M
Data type is string.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Intune Support log location setting UX supports three states:
@ -714,7 +726,7 @@ Intune Support log location setting UX supports three states:
- 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path.
- 0 - Disabled. Turns off the Support log location feature.
When enabled or disabled exists on the client and admin moves the setting to be configured not , it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
More details:
@ -738,7 +750,7 @@ If you disable or don't configure this policy, the device will stay up to date a
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 0: Not configured (Default)
@ -771,7 +783,7 @@ If you disable or don't configure this policy, the device will stay up to date a
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 0: Not configured (Default)
@ -796,7 +808,7 @@ Current Channel (Broad): Devices will be offered updates only after the gradual
If you disable or don't configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid Values are:
- 0: Not configured (Default)
@ -819,7 +831,7 @@ If you disable or don't configure this policy, the device will remain in Current
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 Enabled.

9
windows/client-management/mdm/devdetail-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 03/27/2020
# DevDetail CSP
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DevDetail configuration service provider handles the management object that provides device-specific parameters to the OMA DM server. These device parameters can be queried by servers using OMA DM commands. They aren't sent from the client to the server automatically.
> [!NOTE]

19
windows/client-management/mdm/supl-csp.md
View File

@ -14,6 +14,14 @@ ms.date: 09/12/2019
# SUPL CSP
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The SUPL configuration service provider is used to configure the location client, as shown in the following table:
- **Location Service**: Connection type
@ -94,7 +102,7 @@ Added in Windows 10, version 2004. Optional. Determines the full version (X.Y.Z
<a href="" id="mccmncpairs"></a>**MCCMNCPairs**
Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network don't match, the device uses the default location service and doesn't use SUPL.
This value is a string with the format "(X1, Y1)(X2, Y2)…(Xn, Yn)", in which `X` is an MCC and `Y` is an MNC.
This value is a string with the format `(X1, Y1)(X2, Y2)…(Xn, Yn)`, in which `X` is an MCC and `Y` is an MNC.
For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
@ -110,7 +118,6 @@ Optional. Specifies the positioning method that the SUPL client will use for mob
|4|OTDOA|
|5|AFLT|
 
The default is 0. The default method in Windows devices provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operators network or location services.
@ -118,7 +125,6 @@ The default is 0. The default method in Windows devices provides high-quality as
> The Mobile Station Assisted, OTDOA, and AFLT positioning methods must only be configured for test purposes.
 
For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
<a href="" id="locmasterswitchdependencynii"></a>**LocMasterSwitchDependencyNII**
@ -133,7 +139,6 @@ This value manages the settings for both SUPL and v2 UPL. If a device is configu
|Off|0|Yes|
|Off|1|No (unless privacyOverride is set)|
When the location toggle is set to Off and this value is set to 1, the following application requests will fail:
- `noNotificationNoVerification`
@ -238,7 +243,6 @@ The default is 0. The default method provides high-quality assisted GNSS positio
> The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes.
 
For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
<a href="" id="locmasterswitchdependencynii"></a>**LocMasterSwitchDependencyNII**
@ -305,7 +309,6 @@ If a mobile operator requires the communication with the H-SLP to take place ove
## OMA Client Provisioning examples
Adding new configuration information for an H-SLP server for SUPL. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value.
```xml
@ -330,7 +333,7 @@ Adding new configuration information for an H-SLP server for SUPL. Values in ita
</wap-provisioningdoc>
```
Adding a SUPL and a V2 UPL account to the same device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value.
Adding a SUPL and a V2 UPL account to the same device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary BLOB must be included for the root certificate data value.
```xml
<?xml version="1.0" encoding="utf-8"?>
@ -361,7 +364,6 @@ Adding a SUPL and a V2 UPL account to the same device. Values in italic must be
## OMA DM examples
Adding a SUPL account to a device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value.
```xml
@ -436,7 +438,6 @@ Adding a SUPL account to a device. Values in italic must be replaced with correc
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
|Elements|Available|

6
windows/client-management/mdm/surfacehub-csp.md
View File

@ -14,7 +14,7 @@ ms.date: 07/28/2017
# SurfaceHub CSP
The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511.
The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511, and later.
The following example shows the SurfaceHub CSP management objects in tree format.
@ -240,7 +240,7 @@ If there's an error calling ValidateAndCommit, there's another context for that
| 3 | Populating Exchange server address | Unable to auto-discover your Exchange server address. Try to manually specify the Exchange server address using the ExchangeServer field. |
| 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure the ExchangeServer field is valid. |
| 5 | Saving account information | Unable to save account details to the system. |
| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Make sure the EAS policy is configured correctly according to the admin guide. |
| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Ensure the EAS policy is configured correctly according to the admin guide. |
It performs the following:
- The data type is integer.
@ -321,7 +321,7 @@ Invitations to collaborate from the Whiteboard app aren't allowed.
<a href="" id="inboxapps-whiteboard-signindisabled"></a>**InBoxApps/Whiteboard/SigninDisabled**
Sign-in from the Whiteboard app aren't allowed.
Sign-ins from the Whiteboard app aren't allowed.
- The data type is boolean.
- Supported operation is Get and Replace.

11
windows/client-management/mdm/tpmpolicy-csp.md
View File

@ -13,10 +13,19 @@ manager: dansimp
# TPMPolicy CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on) from Windows and inbox applications to public IP addresses, unless directly intended by the user. This definition allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
The TPMPolicy CSP was added in Windows 10, version 1703.
The TPMPolicy CSP was added in Windows 10, version 1703, and later.
The following example shows the TPMPolicy configuration service provider in tree format.
```

15
windows/client-management/mdm/uefi-csp.md
View File

@ -13,8 +13,17 @@ manager: dansimp
# UEFI CSP
The table below shows the applicability of Windows:
The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809c, and later.
> [!NOTE]
> The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809).
@ -51,7 +60,7 @@ Uefi
```
The following list describes the characteristics and parameters.
<a href="" id="uefi"></a>**./Vendor/MSFT/Uefi**
<a href="" id="uefi"></a>**./Vendor/MSFT/UEFI**
Root node.
<a href="" id="deviceidentifier"></a>**DeviceIdentifier**
@ -80,7 +89,7 @@ Retrieves the binary result package of the previous Identity/Apply operation.
Supported operation is Get.
<a href="" id="permissions"></a>**Permissions**
Node for settings permission operations..
Node for settings permission operations.
<a href="" id="permissions-current"></a>**Permissions/Current**
Retrieves XML from UEFI that describes the current UEFI settings permissions.

10
windows/client-management/mdm/unifiedwritefilter-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 06/26/2017
# UnifiedWriteFilter CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type.
@ -315,7 +324,6 @@ Supported operations are Get and Execute.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

12
windows/client-management/mdm/update-csp.md
View File

@ -14,6 +14,16 @@ ms.date: 02/23/2018
# Update CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The Update configuration service provider enables IT administrators to manage and control the rollout of new updates.
> [!NOTE]
@ -62,7 +72,7 @@ The following example shows the Update configuration service provider in tree fo
> [!NOTE]
> When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
<p>The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this presentation is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It&#39;s possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update.
<p>The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
<p>The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.

11
windows/client-management/mdm/vpnv2-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 09/21/2021
# VPNv2 CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The VPNv2 configuration service provider allows the mobile device management (MDM) server to configure the VPN profile of the device.
@ -696,7 +705,7 @@ Supported operations include Get, Add, Replace, and Delete.
Reserved for future use.
<a href="" id="vpnv2-profilename-nativeprofile"></a>**VPNv2/**<em>ProfileName</em>**/NativeProfile**
Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP).
Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, and L2TP).
<a href="" id="vpnv2-profilename-nativeprofile-servers"></a>**VPNv2/**<em>ProfileName</em>**/NativeProfile/Servers**
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com.

11
windows/client-management/mdm/w4-application-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 06/26/2017
# w4 APPLICATION CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
Use an **APPLICATION** configuration service provider that has an APPID of w4 to configure Multimedia Messaging Service (MMS).
@ -47,7 +56,7 @@ This parameter takes a string value. The possible values to configure the NAME p
- no value specified
> [!NOTE]
> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. So after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc.
> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. Hence, after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc.
If no value is specified, the registry location will default to `<unnamed>`.

48
windows/client-management/mdm/w7-application-csp.md
View File

@ -14,11 +14,20 @@ ms.date: 06/26/2017
# w7 APPLICATION CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The APPLICATION configuration service provider that has an APPID of w7 is used for bootstrapping a device with an OMA DM account. Although this configuration service provider is used to set up an OMA DM account, it's managed over OMA Client Provisioning.
> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
> [!Note]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
The following shows the configuration service provider in tree format as used by OMA Client Provisioning.
@ -51,11 +60,10 @@ APPLICATION
---SSLCLIENTCERTSEARCHCRITERIA
```
> **Note**   All parm names and characteristic types are case sensitive and must use all uppercase.
> [!Note]
> All parameter names and characteristic types are case sensitive and must use all uppercase.
Both APPSRV and CLIENT credentials must be provided in provisioning XML.
 
<a href="" id="appaddr"></a>**APPADDR**
This characteristic is used in the w7 APPLICATION characteristic to specify the DM server address.
@ -99,9 +107,9 @@ Optional. The AAUTHTYPE parameter of the APPAUTH characteristic is used to get o
Valid values:
- BASIC - specifies that the SyncML DM 'syncml:auth-basic' authentication type.
- BASIC - specifies that the SyncML DM `syncml:auth-basic` authentication type.
- DIGEST - specifies that the SyncML DM 'syncml:auth-md5' authentication type.
- DIGEST - specifies that the SyncML DM `syncml:auth-md5` authentication type.
- When AAUTHLEVEL is CLIENT, then AAUTHTYPE must be DIGEST. When AAUTHLEVEL is APPSRV, AAUTHTYPE can be BASIC or DIGEST.
@ -111,9 +119,8 @@ Required. The APPID parameter is used in the APPLICATION characteristic to diffe
<a href="" id="backcompatretrydisabled"></a>**BACKCOMPATRETRYDISABLED**
Optional. The BACKCOMPATRETRYDISABLED parameter is used in the APPLICATION characteristic to specify whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr (not including the first time).
> **Note**   This parameter doesn't contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled.
 
> [!Note]
> This parameter doesn't contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled.
<a href="" id="connretryfreq"></a>**CONNRETRYFREQ**
Optional. The CONNRETRYFREQ parameter is used in the APPLICATION characteristic to specify how many retries the DM client performs when there are Connection Manager-level or WinInet-level errors. This parameter takes a numeric value in string format. The default value is “3”. You can set this parameter.
@ -130,11 +137,10 @@ The valid values are:
<a href="" id="init"></a>**INIT**
Optional. The INIT parameter is used in the APPLICATION characteristic to indicate that the management server wants the client to initiate a management session immediately after settings approval. If the current w7 APPLICATION document will be put in ROM, the INIT parameter must not be present.
> **Note**   This node is only for mobile operators and MDM servers that try to use this will fail. This node isn't supported in the enterprise MDM enrollment scenario.
> [!Note]
> This node is only for mobile operators and MDM servers that try to use this will fail. This node isn't supported in the enterprise MDM enrollment scenario.
This parameter forces the device to attempt to connect with the OMA DM server. The connection attempt fails if the XML is set during the coldinit phase. A common cause of this failure is that immediately after coldinit is finished the radio isn't yet ready.
 
<a href="" id="initialbackofftime"></a>**INITIALBACKOFFTIME**
Optional. The INITIALBACKOFFTIME parameter is used in the APPLICATION characteristic to specify the initial wait time in milliseconds when the DM client retries for the first time. The wait time grows exponentially. This parameter takes a numeric value in string format. The default value is “16000”. You can get or set this parameter.
@ -180,9 +186,8 @@ The supported names are Subject and Stores; wildcard certificate search isn't su
Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive.
> **Note**   %EF%80%80 is the UTF8-encoded character U+F000.
 
> [!Note]
> `%EF%80%80` is the UTF8-encoded character U+F000.
Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following syntax:
@ -193,15 +198,4 @@ Subject specifies the certificate to search for. For example, to specify that yo
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)