Optional. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. As a best practice, use text that doesn’t require XML/URI escaping.
Required. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn’t require XML/URI escaping.
For Intune, use **MS DM Server** for Windows desktop or **SCConfigMgr** for Windows mobile for the _ProviderID_.
@ -969,7 +969,6 @@ The software version information from **DevDetail/SwV** does not match the versi
- In the SyncML, you must use lowercase product ID.
- Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
For additional details, see [ApplicationRestrictions in PolicyManager CSP](policymanager-csp.md#applicationmanagement-applicationrestrictions).
- Silverlight xaps may not install even if publisher policy is specified using Windows Phone 8.1 publisher rule. For example, Silverlight app "Level" will not install even if you specify <Publisher PublisherName=”Microsoft Corporation” />.
@ -1232,6 +1231,10 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
</ul>
<p>Added the following new policies for Windows10, version 1709:</p>
<tdstyle="vertical-align:top">The DynamicManagement CSP is not supported in Windows 10 Mobile and Mobile Enterprise. The table of SKU information in the [Configuration service provider reference](configuration-service-provider-reference.md) was updated.</td>
Added in Windows 10, version 1709. Boolean policy to enable the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. When the policy is enabled, a WNF notification is generated that would schedule a task to update the visibility of the new provider. The admin user is required to authenticate to trigger the refresh on the target device.
The auto pilot reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the auto pilot reset is triggered the devices are for ready for use by information workers or students.
The PolicyManager configurationserviceprovider enables the enterprise to configure company policies on Windows10 Mobile.
PolicyManager CSP is deprecated. Use [Policy CSP](policy-configuration-service-provider.md) instead.
> **Note** The PolicyManager CSP is supported in Windows10 Mobile for backward compatibility. For Windows10 devices you should use [Policy CSP](policy-configuration-service-provider.md), which replaces PolicyManager CSP. You can continue to use PolicyManager CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices. The PolicyManager CSP will be deprecated some time in the future.
> **Note** The PolicyManager CSP is supported in Windows10 Mobile for backward compatibility. For Windows10 devices you should use [Policy CSP](policy-configuration-service-provider.md), which replaces PolicyManager CSP. You can continue to use PolicyManager CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices.
The PolicyManager CSP has the following sub-categories:
- PolicyManager/My/*AreaName* – Handles the policy configuration request from the server.
- PolicyManager/Device/*AreaName* – Provides a read-only path to policies enforced on the device.
The configuration policies for the same *AreaName* must be wrapped in an Atomic command.
The following image shows the PolicyManager configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
Specifies the name/value pair used in the policy. The following list shows some tips to help you when configuring policies:
- Separate multistring values by the Unicode &\#xF000; in the XML file.
- End multistrings with &\#xF000; For example, One string&\#xF000;two string&\#xF000;red string&\#xF000;blue string&\#xF000;&\#xF000;. Note that a query from different caller could provide a different value as each caller could have different values for a named policy.
- In Syncml, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction.
- Supported operations are Add, Get, Delete, and Replace.
- Value type is string.
For possible area and policy names, see [Supported company policies](#bkmk-supportedpolicies) below.
<ahref=""id="device"></a>**Device**
Groups the evaluated policies from all providers that can be configured. Supported operations is Get.
Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging.
Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced.
> **Note**This policy is only supported in Windows10 Mobile.
Controls whether the user is allowed to use the storage card for device storage. This setting does not prevent programmatic access to the storage card, it only prevents the user from using the card as a storage location.
The following list shows the supported values:
- 0 – SD card use is not allowed. This does not prevent programmatic access to the storage card.
Allows the enterprise to disallow roaming settings among devices (in/from a device). If not enforced, whether or not roaming is allowed may depend on other factors.
The following list shows the supported values:
- 0 – Roaming is not allowed.
- 1 (default) – The enterprise does not enforce roaming restrictions.
Specifies whether to allow the user to delete the workplace account using the workplace control panel. The MDM server can always remotely delete the account.
An XML blob that specifies the application restrictions company want to put to the device. It could be app allow list, app disallow list, allowed publisher IDs, etc. An application that is running may not be immediately terminated.
> **Note**This policy is only supported in Windows10 Mobile.
> **Note**List of known issues:
- When you upgrade Windows Phone 8.1 devices to Windows10 Mobile with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps.
Here's additional guidance for the upgrade process:
- Use Windows10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents).
- Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it.
- In the SyncML, you must use lowercase product ID.
- Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
For a sample SyncML, see [Examples](#examples).
- You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
- When ApplicationManagement/ApplicationRestrictions policy is deployed to Windows10 Mobile, installation and update of apps dependent on Microsoft Frameworks may get blocked with error 0x80073CF9. To work around this issue, you must include the Microsoft Framework Id to your list of allowed apps.
Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies.
@ -84,7 +84,7 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u
### Windows10 for desktop editions (Home, Pro, Enterprise, and Education)
- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) page).
- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn91508.aspx) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
@ -45,7 +45,7 @@ Configure a registry-based static proxy to allow only Windows Defender ATP senso
The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**.
The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DisableEnterpriseAuthProxy\DataCollection`.
The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
The registry value `TelemetryProxyServer` takes the following string format:
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Joey Caparas