deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into nimishasatapathy-5825705-part2

Browse Source
This commit is contained in:
Shesh 2022-05-12 17:29:10 +05:30 committed by GitHub
commit f47cafaf07
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 951 additions and 333 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

292
template.md Normal file
View File

@ -0,0 +1,292 @@
---
title: # ARTICLE TITLE in 55 chars or less, most important for SEO. Best to match H1 and TOC, but doesn't have to.
description: # A summary of the content. 75-300 characters. Used in site search. Sometimes used on a search engine results page for improved SEO. Always end with period.
ms.date: mm/dd/yyyy
ms.prod: windows
ms.technology: windows #more to come...
ms.topic: conceptual #reference troubleshooting how-to end-user-help overview (more in contrib guide)
ms.localizationpriority: medium #high null
author: # GitHub username (aczechowski)
ms.author: # MS alias (aaroncz)
ms.reviewer: # MS alias of feature PM, optional
manager: # MS alias of manager (dougeby)
ms.collection: # optional
- # highpri - high priority, strategic, important, current, etc. articles
- # openauth - the article is owned by PM or community for open authoring
---
# Metadata and Markdown Template
_Applies to:_
- Windows 11
- Windows 10
This docs.ms template contains examples of markdown syntax, and guidance on setting the metadata. It's available in the root directory of the Windows repository (`~\windows-docs-pr\template.md`).
When you create a new markdown file article, **Save as** this template to a new file, fill out the metadata as specified below, set the H1 heading above (`#`) to the title of the article, and delete the template content.
## Metadata
The full metadata block is above the markdown between the `---` lines. For more information, see [Metadata attributes](https://review.docs.microsoft.com/en-us/help/contribute/metadata-attributes?branch=main) in the contributor guide. Some key notes:
- You _must_ have a space between the colon (`:`) and the value for a metadata element.
- Remove all metadata comments (`#`)
- Colons in a value (like the title) break the metadata parser. In their place, use the HTML encoding `:` (for example, `title: Azure Rights Management: the basics`).
- `title`: This title appears in search engine results and the browser tab.
- Don't end with a period.
- Use Microsoft style _sentence case_.
- The title can match the H1 heading (`#`) and the name in the toc.yml, but doesn't have to.
- It should be roughly 55 characters or less for best search engine optimization (SEO).
- `description`: Summarize the content, shows in search engine results. 75-300 characters. Always end with a period.
- `ms.date`: After you Save As this template to the target file, with the Docs Authoring Pack extension installed, right-click anywhere in the .md file to **Update `ms.date` metadata value** and save the file.
- `author`: The author field contains the **Github username** of the author.
- This value is used in GitHub notifications, assignments, and other build automation in both the private and public repositories.
- It's also used to display the first (left-most) contributor in the published article.
- `ms.author` & `manager`: Microsoft aliases. ms.author and author are typically the same.
- `ms.reviewer`: Optionally can specify the name of the PM associated with the article. Just for reference, not currently used by any automation.
- `ms.prod`: Should always be `windows` for Windows content. (Some older articles still use `w10` and `w11`.)
- `ms.technology`: Select one of the options based on the feature area. Currently the only option is `windows`.
- `ms.topic`: Select one of the options based on the content type. This attribute is used in calculating content health (different content types are used differently by customers, so have different metrics).
- `ms.localizationpriority`: **Medium** is the default, which is machine translation. For specific, high-priority content that requires human translation (extra cost), set this value to **high**. For any components that are only `en-us`, set this value to **null** for no localization.
## Basic markdown and GFM
All basic and Github-flavored markdown (GFM) is supported. For more information, see the following articles:
- [Docs Markdown reference in the Contributor Guide](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main)
- [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax)
- [Github-flavored markdown (GFM) documentation](https://docs.github.com/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax)
## Headings
Examples of first- and second-level headings are above.
There **must** be only one first-level heading (`#`, also known as H1) in your article, which is displayed as the published title at the top of the page.
Second-level headings (`##`, also known as H2) generate the on-page TOC that appears in the **In this article** section beside or underneath the on-page title.
Limit the length of second-level headings to avoid excessive line wraps.
Make sure _all_ headings of any level have a unique name for the article. The build creates an anchor for all headings on the page using kebab formatting. For example, from the [Docs Markdown reference](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main) article, the heading **Alerts (Note, Tip, Important, Caution, Warning)** becomes the anchor `#alerts-note-tip-important-caution-warning`. If there are duplicate headings, then the anchors don't behave properly. This behavior also applies when using include files, make sure the headings are unique across the main markdown file, and all include markdown files.
Don't skip levels. For example, don't have an H3 (`###`) without a parent H2 (`##`).
Configuration Manager content does use custom anchors in some articles. They're almost always prefixed with `bkmk_`, for example, `bkmk_client`. These anchors can help reduce the anchor size, but does require HTML code that may not always be supported by the docs build system. There's other functionality with the Docs Authoring Pack and the build validation that only works with native header anchors. Use custom anchors sparingly, and remove them in older articles when possible. When removing custom anchors, make sure to update all internal links from the old custom anchor to the native header kebab format.
### Third-level heading
Third-level headings (and beyond) can be any length, as they don't appear **In this article**.
#### Fourth-level heading
##### Fifth level heading
## Text styling
_Italics_ (a single asterisk (`*`) also works, but the underscore (`_`) helps differentiate with the double asterisk (`**`) for bold)
**Bold**
~~Strikethrough~~
## Links
> [!TIP]
> Use the **Docs Authoring Pack** extension to easily add links!
>
> 1. **Alt** + **M** to open the Docs Authoring Pack menu.
> 1. Select **Link** and then follow the prompts.
>
> It supports headings in the current and other files too! (Just not the custom `bkmk` anchors that are sometimes used in this content.)
For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
### Article in the same repo
To link to an article in the same repo, use **file-relative links**. These links have the path to the target as relative to the current file, and always include the `.md` or `.yml` extension. For example, `[Windows client documentation for IT Pros](index.yml)`
#### Link to headings
To link to a heading _in the same markdown file_, add just the anchor as the link. It's either a custom HTML anchor (`#bkmk_client`) or the kebab case of the header. For example: `[Link to an article in the same repo](#article-in-the-same-repo)`. Kebab case is preferred over a custom anchor, as the build validates the link. Make sure headings aren't duplicated in the same article.
To link to a heading _in a markdown file in the same repo_, use relative linking + hashtag linking. For example: `[Windows 11 availability](../whats-new/windows-11-plan.md#windows-11-availability)`
### Another docs.ms article
To link to another docs.ms article not in the same repo, use a **root-relative link**. This style supports the potential future use of the doc content in a separate disconnected environment, like for a high security government customer, which would have a different domain. For example, `[Public contributor guide](/contribute/additional-resources)`.
### External URLs
To link to an external file, use the full URL as the link. For example: `[Github](https://www.github.com)`
- The link should always be **HTTPS**.
- Remove any local from the URL, unless it doesn't work without it. Most all microsoft.com properties support language neutral URLs.
### Example links
If you need to provide an example of a URL in the article, enclose it in a code block. For example: `https://www.contoso.com`
This style makes sure the URL is ignored during build validation and the broken links report.
### Tips for links
When your pull request runs, the build system validates all file-relative links and non-custom anchors. It will return a warning if it can't resolve a link.
VSCode supports file-relative links and non-custom anchors, so you can easily navigate between pages, and test that links are valid.
There's a broken link report that runs once a week in the build system, get the report from OPS.
Don't use URL shorteners like `go.microsoft.com/fwlink` or `aka.ms`. Include the full URL to the target.
For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
## Lists
### Ordered lists
1. This list is ordered.
1. This list is ordered.
1. This list is ordered.
1. This list is ordered.
1. This list is ordered.
You can explicitly number each line if needed, but this style lets the build autonumber it. This style is beneficial if you need to add or remove a step.
#### Ordered list with an embedded list
1. This list is ordered.
1. This list is ordered.
1. This list is ordered.
1. This list is ordered.
1. This list is embedded.
1. This list is embedded.
1. This list is ordered.
1. This list is ordered.
### Unordered Lists
- This list is bulleted.
- This list is bulleted.
- This list is bulleted.
- This list is bulleted.
- This list is bulleted.
#### Unordered list with embedded lists
- This list is bulleted.
- This list is bulleted.
- This list is bulleted.
- This list is embedded.
- This list is embedded.
- This list is bulleted.
- This list is bulleted.
1. This list is embedded and ordered.
1. This list is embedded and ordered.
- This list is bulleted.
## Horizontal rule
---
## Tables
| Tables | Are | Cool |
| ------------- |:-------------:| -----:|
| col 3 is | right-aligned | $1600 |
| col 2 is | centered | $12 |
| col 1 is default | left-aligned | $1 |
The Docs Authoring Pack has features to manage markdown tables. Select the entire table, then right-click to see the options.
## Code
### Codeblock
```json
{
"aggregator": {
"batchSize": 1000,
flushTimeout": "00:00:30"
}
}
```
### In-line code
This sentence includes an example of `in-line code`.
## Blockquote
> The drought had lasted now for ten million years, and the reign of the terrible lizards had long since ended. Here on the Equator, in the continent which would one day be known as Africa, the battle for existence had reached a new climax of ferocity, and the victor was not yet in sight. In this barren and desiccated land, only the small or the swift or the fierce could flourish, or even hope to survive.
## Images
Use the Docs Authoring Pack menu to easily insert media.
Always include alt text for accessibility, and always end it with a period.
### Static Image
:::image type="content" source="media/deploy1.png" alt-text="A graphic of a laptop as a suitcase.":::
### Image with lightbox
:::image type="content" source="media/deploy2.png" alt-text="A graphic of a computer with external monitor." lightbox="media/W10-WaaS-poster.PNG":::
### Animated gif
:::image type="content" source="media/docs-filter-toc.gif" alt-text="Animated gif of 'filter by title' option in the table of contents.":::
### Linked Image
[![Alt text for linked image.](memdocs/media/docs-github-edit.png)](https://azure.microsoft.com)
## Alerts
### Note
> [!NOTE]
> This is NOTE
### Warning
> [!WARNING]
> This is WARNING
### Tip
> [!TIP]
> This is TIP
### Caution
> [!CAUTION]
> This is CAUTION
### Important
> [!IMPORTANT]
> This is IMPORTANT
## Videos
### YouTube
> [!VIDEO https://www.youtube.com/embed/rnhnZTrSZzI]
## docs.ms extensions
> [!div class="nextstepaction"]
> [Next step action](/mem/configmgr)

14
windows/client-management/mdm/Language-pack-management-csp.md
View File

@ -13,6 +13,16 @@ ms.date: 06/22/2021
# Language Pack Management CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|Yes|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
The Language Pack Management CSP allows a direct way to provision languages remotely in Windows. MDMs like Intune can use management commands remotely to devices to configure language-related settings for System and new users.
1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples:
@ -81,3 +91,7 @@ The Language Pack Management CSP allows a direct way to provision languages remo
4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node
**./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages**
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

26
windows/client-management/mdm/devicemanageability-csp.md
View File

@ -1,6 +1,6 @@
---
title: DeviceManageability CSP
description: The DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device.
description: Learn how the DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device.
ms.assetid: FE563221-D5B5-4EFD-9B60-44FE4066B0D2
ms.reviewer:
manager: dansimp
@ -14,6 +14,15 @@ ms.date: 11/01/2017
# DeviceManageability CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DeviceManageability configuration service provider (CSP) is used to retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
@ -30,6 +39,7 @@ DeviceManageability
------------ConfigInfo (Added in Windows 10, version 1709)
------------EnrollmentInfo (Added in Windows 10, version 1709)
```
<a href="" id="--device-vendor-msft-devicemanageability"></a>**./Device/Vendor/MSFT/DeviceManageability**
Root node to group information about runtime MDM configuration capability on the target device.
@ -50,14 +60,20 @@ Added in Windows 10, version 1709. Configuration information string value set by
ConfigInfo value can only be set by the provider that owns the ProviderID. The value is readable by other config sources.
Data type is string. Supported operations are Add, Get, Delete, and Replace.
Data type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/EnrollmentInfo**
Added in Windows 10, version 1709. Enrollment information string value set by the configuration source and sent during MDM enrollment. It's readable by MDM server during sync session.
Data type is string. Supported operations are Add, Get, Delete, and Replace. 
Data type is string.
Supported operations are Add, Get, Delete, and Replace. 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

98
windows/client-management/mdm/devicestatus-csp.md
View File

@ -1,6 +1,6 @@
---
title: DeviceStatus CSP
description: The DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
ms.assetid: 039B2010-9290-4A6E-B77B-B2469B482360
ms.reviewer:
manager: dansimp
@ -14,6 +14,15 @@ ms.date: 06/25/2021
# DeviceStatus CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
@ -63,15 +72,16 @@ DeviceStatus
--------VirtualizationBasedSecurityStatus
--------LsaCfgCredGuardStatus
```
<a href="" id="devicestatus"></a>**DeviceStatus**
The root node for the DeviceStatus configuration service provider.
<a href="" id="devicestatus-securebootstate"></a>**DeviceStatus/SecureBootState**
Indicates whether secure boot is enabled. The value is one of the following values:
- 0 - Not supported
- 1 - Enabled
- 2 - Disabled
- 0 - Not supported
- 1 - Enabled
- 2 - Disabled
Supported operation is Get.
@ -138,9 +148,9 @@ Supported operation is Get.
<a href="" id="devicestatus-networkidentifiers-macaddress-type"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**
Type of network connection. The value is one of the following values:
- 2 - WLAN (or other Wireless interface)
- 1 - LAN (or other Wired interface)
- 0 - Unknown
- 2 - WLAN (or other Wireless interface)
- 1 - LAN (or other Wired interface)
- 0 - Unknown
Supported operation is Get.
@ -150,8 +160,8 @@ Node for the compliance query.
<a href="" id="devicestatus-compliance-encryptioncompliance"></a>**DeviceStatus/Compliance/EncryptionCompliance**
Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following values:
- 0 - Not encrypted
- 1 - Encrypted
- 0 - Not encrypted
- 1 - Encrypted
Supported operation is Get.
@ -179,8 +189,9 @@ Supported operation is Get.
Added in Windows, version 1803. Read only node that specifies the device mode.
Valid values:
- 0 - The device is in standard configuration
- 1 - The device is in S mode configuration
- 0 - The device is in standard configuration.
- 1 - The device is in S mode configuration.
Supported operation is Get.
@ -194,15 +205,16 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi
Valid values:
- 0 - The security software reports that it isn't the most recent version.
- 1 (default) - The security software reports that it's the most recent version.
- 2 Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
- 0 - The security software reports that it isn't the most recent version.
- 1 (default) - The security software reports that it's the most recent version.
- 2 Not applicable. It is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
Supported operation is Get.
If more than one antivirus provider is active, this node returns:
- 1 If every active antivirus provider has a valid signature status.
- 0 If any of the active antivirus providers has an invalid signature status.
- 1 If every active antivirus provider has a valid signature status.
- 0 If any of the active antivirus providers has an invalid signature status.
This node also returns 0 when no antivirus provider is active.
@ -211,38 +223,39 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi
Valid values:
- 0 Antivirus is on and monitoring.
- 1 Antivirus is disabled.
- 2 Antivirus isn't monitoring the device/PC or some options have been turned off.
- 3 (default) Antivirus is temporarily not completely monitoring the device/PC.
- 4 Antivirus not applicable for this device. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
- 0 Antivirus is on and monitoring.
- 1 Antivirus is disabled.
- 2 Antivirus isn't monitoring the device/PC or some options have been turned off.
- 3 (default) Antivirus is temporarily not completely monitoring the device/PC.
- 4 Antivirus not applicable for this device. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
Supported operation is Get.
<a href="" id="devicestatus-antispyware"></a>**DeviceStatus/Antispyware**
Added in Windows, version 1607. Node for the antispyware query.
Added in Windows, version 1607. Node for the anti-spyware query.
Supported operation is Get.
<a href="" id="devicestatus-antispyware-signaturestatus"></a>**DeviceStatus/Antispyware/SignatureStatus**
Added in Windows, version 1607. Integer that specifies the status of the antispyware signature.
Added in Windows, version 1607. Integer that specifies the status of the anti-spyware signature.
Valid values:
- 0 - The security software reports that it isn't the most recent version.
- 1 - The security software reports that it's the most recent version.
- 2 - Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
- 0 - The security software reports that it isn't the most recent version.
- 1 - The security software reports that it's the most recent version.
- 2 - Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
Supported operation is Get.
If more than one antispyware provider is active, this node returns:
- 1 If every active antispyware provider has a valid signature status.
- 0 If any of the active antispyware providers has an invalid signature status.
If more than one anti-spyware provider is active, this node returns:
This node also returns 0 when no antispyware provider is active.
- 1 If every active anti-spyware provider has a valid signature status.
- 0 If any of the active anti-spyware providers has an invalid signature status.
This node also returns 0 when no anti-spyware provider is active.
<a href="" id="devicestatus-antispyware-status"></a>**DeviceStatus/Antispyware/Status**
Added in Windows, version 1607. Integer that specifies the status of the antispyware.
Added in Windows, version 1607. Integer that specifies the status of the anti-spyware.
Valid values:
@ -263,11 +276,11 @@ Added in Windows, version 1607. Integer that specifies the status of the firewa
Valid values:
- 0 Firewall is on and monitoring.
- 1 Firewall has been disabled.
- 2 Firewall isn't monitoring all networks or some rules have been turned off.
- 3 (default) Firewall is temporarily not monitoring all networks.
- 4 Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
- 0 Firewall is on and monitoring.
- 1 Firewall has been disabled.
- 2 Firewall isn't monitoring all networks or some rules have been turned off.
- 3 (default) Firewall is temporarily not monitoring all networks.
- 4 Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
Supported operation is Get.
@ -327,15 +340,15 @@ Added in Windows, version 1709. Virtualization-based security hardware requirem
Supported operation is Get.
<a href="" id="devicestatus-deviceguard-virtualizationbasedsecuritystatus"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**
Added in Windows, version 1709. Virtualization-based security status. Value is one of the following values:
Added in Windows, version 1709. Virtualization-based security status. Value is one of the following:
- 0 - Running
- 1 - Reboot required
- 2 - 64-bit architecture required
- 3 - Not licensed
- 4 - Not configured
- 5 - System doesn't meet hardware requirements
- 42 Other. Event logs in Microsoft-Windows-DeviceGuard have more details
- 42 Other. Event logs in Microsoft-Windows-DeviceGuard have more details.
Supported operation is Get.
@ -346,7 +359,10 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s
- 1 - Reboot required
- 2 - Not licensed for Credential Guard
- 3 - Not configured
- 4 - VBS not running
- 4 - VBS not running
Supported operation is Get.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

45
windows/client-management/mdm/devinfo-csp.md
View File

@ -14,17 +14,25 @@ ms.date: 06/26/2017
# DevInfo CSP
The table below shows the applicability of Windows:
The DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DevInfo configuration service provider handles the managed object, which provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
 
For the DevInfo CSP, you can't use the Replace command unless the node already exists.
The following example shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol isn't supported by this configuration service provider.
The following shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol isn't supported by this configuration service provider.
```
.
DevInfo
@ -34,6 +42,7 @@ DevInfo
----DmV
----Lang
```
<a href="" id="devid"></a>**DevId**
Required. Returns an application-specific global unique device identifier by default.
@ -41,25 +50,22 @@ Supported operation is Get.
The **UseHWDevID** parm of the [DMAcc configuration service provider](dmacc-csp.md) or DMS configuration service provider can be used to modify the return value to instead return a hardware device ID as follows:
- For GSM phones, the IMEI is returned.
- For CDMA phones, the MEID is returned.
- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns an application specific global unique identifier (GUID) irrespective of the value of UseHWDevID.
- For GSM phones, the IMEI is returned.
- For CDMA phones, the MEID is returned.
- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns an application specific global unique identifier (GUID) irrespective of the value of UseHWDevID.
<a href="" id="man"></a>**Man**
Required. Returns the name of the OEM. For Windows 10 for desktop editions, it returns the SystemManufacturer as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemManufacturer.
If no name is found, the value returned is "Unknown".
If no name is found, this returns to "Unknown".
Supported operation is Get.
<a href="" id="mod"></a>**Mod**
Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10 for desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName.
Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10/Windows 11 desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName.
If no name is found, the value returned is "Unknown".
If no name is found, this returns to "Unknown".
Supported operation is Get.
@ -75,15 +81,4 @@ Supported operation is Get.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

98
windows/client-management/mdm/diagnosticlog-csp.md
View File

@ -14,6 +14,16 @@ ms.date: 11/19/2019
# DiagnosticLog CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DiagnosticLog configuration service provider (CSP) provides the following feature areas:
- [DiagnosticArchive area](#diagnosticarchive-area). Capture and upload event logs, log files, and registry values for troubleshooting.
- [Policy area](#policy-area). Configure Windows event log policies, such as maximum log size.
@ -68,7 +78,9 @@ Rest of the nodes in the DiagnosticLog CSP are described within their respective
## DiagnosticArchive area
The DiagnosticArchive functionality within the DiagnosticLog CSP is used to trigger devices to gather troubleshooting data into a zip archive file and upload that archive to cloud storage. DiagnosticArchive is designed for ad-hoc troubleshooting scenarios, such as an IT admin investigating an app installation failure using a collection of event log events, registry values, and app or OS log files.
The DiagnosticArchive functionality within the DiagnosticLog CSP is used to trigger devices to gather troubleshooting data into a zip archive file and upload that archive to cloud storage.
DiagnosticArchive is designed for ad-hoc troubleshooting scenarios, such as an IT admin investigating an app installation failure using a collection of event log events, registry values, and app or OS log files.
> [!NOTE]
> DiagnosticArchive is a "break glass" backstop option for device troubleshooting. Diagnostic data such as log files can grow to many gigabytes. Gathering, transferring, and storing large amounts of data may burden the user's device, the network and cloud storage. Management servers invoking DiagnosticArchive must take care to minimize data gathering frequency and scope.
@ -90,7 +102,7 @@ The data type is string.
Expected value:
Set and Execute are functionality equivalent, and each accepts a `Collection` XML snippet (as a string) describing what data to gather and where to upload it. The results are zipped and uploaded to the specified SasUrl. The zipped filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip".
With Windows 10 KB5011543, Windows 11 KB5011563 we have added support for an additional element which will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML.
With Windows 10 KB5011543, Windows 11 KB5011563, we have added support for an extra element that will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML.
The following example shows a `Collection` XML:
@ -110,13 +122,15 @@ The following example shows a `Collection` XML:
</Collection>
```
The XML should include the following elements within the `Collection` element:
**ID**
**ID**:
The ID value uniquely identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value. The CSP expects the value to be populated when the request is received, so it must be generated by the IT admin or the management server.
**SasUrl**
The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It's the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could:
- Provision cloud storage reachable by the target device, such as a Microsoft Azure blob storage container
- Generate a Shared Access Signature URL granting the possessor (the target device) time-limited write access to the storage container
- Pass this value to the CSP on the target device through the `Collection` XML as the `SasUrl` value.
@ -132,7 +146,7 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- **Events**
- Exports all events from the named Windows event log.
- Expected input value: A named event log channel such as "Application" or "Microsoft-Windows-DeviceGuard/Operational".
- Output format: Creates a .evtx file.
- Output format: Creates an .evtx file.
- **Commands**
- This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives aren't a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files.
@ -183,7 +197,6 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- Flattens folder structure, instead of having individual folders for each directive in the XML.
- The value “Flattened” is the only supported value for the OutputFileFormat. If the OutputFileFormat is absent in the XML, or if explicitly set to something other than Flattened, it will leave the file structure in old structure.
<a href="" id="diagnosticarchive-archiveresults"></a>**DiagnosticArchive/ArchiveResults**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run.
@ -191,7 +204,7 @@ The supported operation is Get.
The data type is string.
A Get to the above URI will return the results of the data gathering for the last diagnostics request. For the example above it returns:
A Get to the above URI will return the results of the data gathering for the last diagnostics request. For the example above:
``` xml
<SyncML>
@ -254,6 +267,7 @@ la--- 1/4/2021 2:45 PM 1
la--- 1/4/2021 2:45 PM 2
la--- 12/2/2020 6:27 PM 2701 results.xml
```
Each data gathering directive from the original `Collection` XML corresponds to a folder in the output.
For example, the first directive was:
@ -262,7 +276,8 @@ For example, the first directive was:
<RegistryKey HRESULT="0">HKLM\Software\Policies</RegistryKey>
</Collection>
```
then folder `1` will contain the corresponding `export.reg` file.
Then, folder `1` will contain the corresponding `export.reg` file.
The `results.xml` file is the authoritative map to the output. It includes a status code for each directive. The order of the directives in the file corresponds to the order of the output folders. Using `results.xml` the administrator can see what data was gathered, what failures may have occurred, and which folders contain which output. For example, the following `results.xml` content indicates that registry export of HKLM\Software\Policies was successful and the data can be found in folder `1`. It also indicates that `netsh.exe wlan show profiles` command failed.
@ -275,6 +290,7 @@ The `results.xml` file is the authoritative map to the output. It includes a sta
```
Administrators can apply automation to 'results.xml' to create their own preferred views of the data. For example, the following PowerShell one-liner extracts from the XML an ordered list of the directives with status code and details.
```powershell
Select-XML -Path results.xml -XPath '//RegistryKey | //Command | //Events | //FoldersFiles' | Foreach-Object -Begin {$i=1} -Process { [pscustomobject]@{DirectiveNumber=$i; DirectiveHRESULT=$_.Node.HRESULT; DirectiveInput=$_.Node.('#text')} ; $i++}
```
@ -375,8 +391,8 @@ Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to rep
Supported operations are Add, Delete, and Get.
Add **Channel**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -398,7 +414,9 @@ Add **Channel**
</SyncBody>
</SyncML>
```
Delete **Channel**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -416,7 +434,9 @@ Delete **Channel**
</SyncBody>
</SyncML>
```
Get **Channel**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -434,6 +454,7 @@ Get **Channel**
</SyncBody>
</SyncML>
```
<a href="" id="policy-channels-channelname-maximumfilesize"></a>**Policy/Channels/_ChannelName_/MaximumFileSize**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies the maximum size of the log file in megabytes.
@ -446,6 +467,7 @@ Supported operations are Add, Delete, Get, and Replace.
The data type is integer.
Add **MaximumFileSize**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -470,6 +492,7 @@ Add **MaximumFileSize**
```
Delete **MaximumFileSize**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -487,7 +510,9 @@ Delete **MaximumFileSize**
</SyncBody>
</SyncML>
```
Get **MaximumFileSize**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -507,6 +532,7 @@ Get **MaximumFileSize**
```
Replace **MaximumFileSize**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -542,6 +568,7 @@ Default string is as follows:
`https://docs.microsoft.com/windows/'desktop/WES/eventmanifestschema-channeltype-complextype`
Add **SDDL**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -566,6 +593,7 @@ Add **SDDL**
```
Delete **SDDL**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
@ -586,6 +614,7 @@ Delete **SDDL**
```
Get **SDDL**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -605,6 +634,7 @@ Get **SDDL**
```
Replace **SDDL**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -642,8 +672,10 @@ The following are the possible values:
If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration.
If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration.
Add **ActionWhenFull**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -668,6 +700,7 @@ Add **ActionWhenFull**
```
Delete **ActionWhenFull**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -687,6 +720,7 @@ Delete **ActionWhenFull**
```
Get **ActionWhenFull**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -706,6 +740,7 @@ Get **ActionWhenFull**
```
Replace **ActionWhenFull**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -737,12 +772,14 @@ Supported operations are Add, Delete, Get, and Replace.
The data type is boolean.
The following are the possible values:
- TRUE—Enables the channel.
- FALSE—Disables the channel.
If you disable or don't configure this policy setting, the locally configured value is used as default.
Get **Enabled**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -762,6 +799,7 @@ Get **Enabled**
```
Add **Enabled**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -786,6 +824,7 @@ Add **Enabled**
```
Delete **Enabled**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -805,6 +844,7 @@ Delete **Enabled**
```
Replace **Enabled**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -831,6 +871,7 @@ Replace **Enabled**
## EtwLog area
The Event Tracing for Windows (ETW) log feature of the DiagnosticLog CSP is used to control the following types of event tracing:
- [Collector-based tracing](#collector-based-tracing)
- [Channel-based tracing](#channel-based-tracing)
@ -842,31 +883,31 @@ This type of event tracing collects event data from a collection of registered E
An event collector is a container of registered ETW providers. Users can add or delete a collector node and register or unregister multiple providers in this collector.
The ***CollectorName*** must be unique within the CSP and must not be a valid event channel name or a provider GUID.
The *CollectorName* must be unique within the CSP and must not be a valid event channel name or a provider GUID.
The DiagnosticLog CSP maintains a log file for each collector node and the log file is overwritten if a start command is triggered again on the same collector node.
For each collector node, the user can:
- Start or stop the session with all registered and enabled providers
- Query session status
- Change trace log file mode
- Change trace log file size limit
- Start or stop the session with all registered and enabled providers.
- Query session status.
- Change trace log file mode.
- Change trace log file size limit.
The configurations log file mode and log file size limit don't take effect while trace session is in progress. These attributes are applied when user stops the current session and then starts it again for this collector.
For each registered provider in this collector, the user can:
- Specify keywords to filter events from this provider
- Change trace level to filter events from this provider
- Enable or disable the provider in the trace session
- Specify keywords to filter events from this provider.
- Change trace level to filter events from this provider.
- Enable or disable the provider in the trace session.
The changes on **State**, **Keywords**, and **TraceLevel** takes effect immediately while trace session is in progress.
> [!NOTE]
> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
### Channel-based tracing
### Channel-based tracing
The type of event tracing exports event data from a specific channel. This method is only supported on the desktop.
@ -876,9 +917,9 @@ The DiagnosticLog CSP maintains a log file for each channel node and the log fil
For each channel node, the user can:
- Export channel event data into a log file (.evtx)
- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel
- Specify an XPath query to filter events while exporting the channel event data
- Export channel event data into a log file (.evtx).
- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel.
- Specify an XPath query to filter events while exporting the channel event data.
For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md).
@ -887,13 +928,13 @@ To gather diagnostics using this CSP:
1. Specify a *CollectorName* for the container of the target ETW providers.
2. (Optional) Set logging and log file parameters using the following options:
- <a href="#etwlog-collectors-collectorname-tracelogfilemode">TraceLogFileMode</a>
- <a href="#etwlog-collectors-collectorname-logfilesizelimitmb">LogFileSizeLimitMB</a>
- [TraceLogFileMode](#etwlog-collectors-collectorname-tracelogfilemode)
- [LogFileSizeLimitMB](#etwlog-collectors-collectorname-logfilesizelimitmb)
3. Indicate one or more target ETW providers by supplying its *ProviderGUID* to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
3. Indicate one or more target ETW providers by supplying its **ProviderGUID** to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
4. (Optional) Set logging and log file parameters using the following options:
- <a href="#etwlog-collectors-collectorname-providers-providerguid-tracelevel">TraceLevel</a>
- <a href="#etwlog-collectors-collectorname-providers-providerguid-keywords">Keywords</a>
- [TraceLevel](#etwlog-collectors-collectorname-providers-providerguid-tracelevel)
- [Keywords](#etwlog-collectors-collectorname-providers-providerguid-keywords)
5. Start logging using **TraceControl** EXECUTE command “START”.
6. Perform actions on the target device that will generate activity in the log files.
7. Stop logging using **TraceControl** EXECUTE command “STOP”.
@ -1439,7 +1480,7 @@ The supported value is Execute.
## FileDownload area
The FileDownload feature of the DiagnosticLog CSP enables a management server to pull data directly from the device. In the FileDownload context the client and server roles are conceptually reversed, with the management server acting as a client to download the data from the managed device.
The FileDownload feature of the DiagnosticLog CSP enables a management server to pull data directly from the device. In the FileDownload context, the client and server roles are conceptually reversed, with the management server acting as a client to download the data from the managed device.
### Comparing FileDownload and DiagnosticArchive
@ -1624,6 +1665,7 @@ The supported operation is Get.
### Reading a log file
To read a log file:
1. Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**.
2. Select a log file in the Enumeration result.
3. Set **BlockSizeKB** per DM server payload limitation.
@ -1632,3 +1674,7 @@ To read a log file:
6. Get **BlockData** for upload log block.
7. Increase **BlockIndexToRead**.
8. Repeat steps 5 to 7 until **BlockIndexToRead == (BlockIndexToRead 1)**.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

51
windows/client-management/mdm/dmacc-csp.md
View File

@ -14,16 +14,24 @@ ms.date: 06/26/2017
# DMAcc CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DMAcc configuration service provider allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects. The server can use this configuration service provider to add a new account or to manage an existing account, including an account that was bootstrapped by using the [w7 APPLICATION configuration service provider](w7-application-csp.md)
> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
> [!Note]
>This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
For the DMAcc CSP, you can't use the Replace command unless the node already exists.
The following example shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol isn't supported by this configuration service provider.
The following shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol isn't supported by this configuration service provider.
```
./SyncML
@ -237,13 +245,10 @@ Required. Specifies the role mask that the OMA DM session runs with when it comm
If this parameter isn't present, the DM session is given the role mask of the OMA DM session that the server created. The following list shows the valid security role masks and their values.
- 4 = SECROLE\_OPERATOR
- 8 = SECROLE\_MANAGER
- 16 = SECROLE\_USER\_AUTH
- 128 = SECROLE\_OPERATOR\_TPS
- 4 = SECROLE\_OPERATO
- 8 = SECROLE\_MANAGE
- 16 = SECROLE\_USER\_AUT
- 128 = SECROLE\_OPERATOR\_TPS
The acceptable access roles for this node can't be more than the roles assigned to the DMAcc object.
@ -256,11 +261,9 @@ The default value of "FALSE" specifies that an application-specific GUID is retu
A value is "TRUE" specifies that the hardware device ID will be provided for the ./DevInfo/DevID element and the Source LocURI for the OMA DM package that is sent to the server. In this case:
- For GSM phones, the IMEI is returned.
- For CDMA phones, the MEID is returned.
- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
- For GSM phones, the IMEI is returned.
- For CDMA phones, the MEID is returned.
- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
Value type is bool. Supported operations are Add, Get, and Replace.
@ -292,9 +295,8 @@ The supported names are Subject and Stores; wildcard certificate search isn't su
Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive.
> **Note**   %EF%80%80 is the UTF8-encoded character U+F000.
> [!Note]
> %EF%80%80 is the UTF8-encoded character U+F000.
Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following schema:
@ -312,15 +314,4 @@ Supported operations are Add, and Replace.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

137
windows/client-management/mdm/dmclient-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 11/01/2017
# DMClient CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment.
@ -66,6 +75,7 @@ DMClient
----Unenroll
----UpdateManagementServiceAddress
```
<a href="" id="msft"></a>**./Vendor/MSFT**
All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path.
@ -104,8 +114,6 @@ Supported operations are Get and Add.
> Although hardware device IDs are guaranteed to be unique, there's a concern that this isn't ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSPs **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
This node is required and must be set by the server before the client certificate renewal is triggered.
<a href="" id="provider-providerid-exchangeid"></a>**Provider/*ProviderID*/ExchangeID**
Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. The enterprise management server can correlate and merge records for:
@ -115,8 +123,6 @@ Optional. Character string that contains the unique Exchange device ID used by t
> [!NOTE]
> In some cases for the desktop, this node will return "not found" until the user sets up their email.
Supported operation is Get.
The following XML is a Get command example:
@ -148,8 +154,6 @@ Required. The character string that contains the device management server addres
> [!NOTE]
> When the **ManagementServerAddressList** value is set, the device ignores the value.
The DMClient CSP will save the address to the same location as the w7 and DMS CSPs. The save ensures the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped using the [w7 APPLICATION configuration service provider](w7-application-csp.md).
Starting in Windows 10, version 1511, this node supports multiple server addresses in the format &lt;URL1&gt;&lt;URL2&gt;&lt;URL3&gt;. If there's only a single URL, then the &lt;&gt; aren't required. This feature is supported on Windows client devices.
@ -159,7 +163,7 @@ During a DM session, the device will use the first address on the list and then
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-upn"></a>**Provider/*ProviderID*/UPN**
Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This information is useful when the user email address changes in the identity system. Or, when the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This information is useful when the user's email address changes in the identity system. Or, when the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
Supported operations are Get and Replace.
@ -199,8 +203,6 @@ Optional. Used by the management server to set the DM session version that the s
Once you set the value to 2.0, it won't go back to 1.0.
Supported operations are Get, Replace, and Delete.
<a href="" id="provider-providerid-maxsyncapplicationversion"></a>**Provider/*ProviderID*/MaxSyncApplicationVersion**
@ -279,8 +281,6 @@ Added in Windows 10, version 1607. The list of management server URLs in the fo
> [!NOTE]
> The &lt; and &gt; should be escaped.
```xml
<Replace>
<CmdID>101</CmdID>
@ -299,23 +299,31 @@ If ManagementServerAddressList node is set, the device will only use the server
When the server isn't responding after a specified number of retries, the device tries to use the next server URL in the list. It keeps trying until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first one in the list.
Supported operations are Get and Replace. Value type is string.
Supported operations are Get and Replace.
Value type is string.
<a href="" id="provider-providerid-managementservertoupgradeto"></a>**Provider/*ProviderID*/ManagementServerToUpgradeTo**
Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM provider to upgrade to for a Mobile Application Management (MAM) enrolled device.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-numberofdaysafterlostcontacttounenroll"></a>**Provider/*ProviderID*/NumberOfDaysAfterLostContactToUnenroll**
Optional. Number of days after last successful sync to unenroll.
Supported operations are Add, Delete, Get, and Replace. Value type is integer.
Supported operations are Add, Delete, Get, and Replace.
Value type is integer.
<a href="" id="provider-providerid-aadsenddevicetoken"></a>**Provider/*ProviderID*/AADSendDeviceToken**
Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this feature will cause the client to send a Device Token if the User Token can't be obtained.
Supported operations are Add, Delete, Get, and Replace. Value type is bool.
Supported operations are Add, Delete, Get, and Replace.
Value type is bool.
<a href="" id="provider-providerid-poll"></a>**Provider/*ProviderID*/Poll**
Optional. Polling schedules must use the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
@ -442,7 +450,7 @@ Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, p
Default = Locked
> [!Note]
>If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
> If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
<a href="" id="provider-providerid-configlock-lock"></a>**Provider/*ProviderID*/ConfigLock/Lock**
@ -504,22 +512,30 @@ Supported operations are Add, Delete, and Get.
<a href="" id="provider-providerid-customenrollmentcompletepage-title"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/Title**
Optional. Added in Windows 10, version 1703. Specifies the title of the all done page that appears at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-customenrollmentcompletepage-bodytext"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/BodyText**
Optional. Added in Windows 10, version 1703. Specifies the body text of the all done page that appears at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-customenrollmentcompletepage-hyperlinkhref"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkHref**
Optional. Added in Windows 10, version 1703. Specifies the URL that's shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-customenrollmentcompletepage-hyperlinktext"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkText**
Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that's shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-"></a>**Provider/*ProviderID*/FirstSyncStatus**
Optional node. Added in Windows 10, version 1709.
@ -527,17 +543,23 @@ Optional node. Added in Windows 10, version 1709.
<a href="" id="provider-providerid-firstsyncstatus-expectedpolicies"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedPolicies**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to configure, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectednetworkprofiles "></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to configure, delimited by the character L"\xF000".
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedmsiapppackages"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedmodernapppackages"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedModernAppPackages**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example,
@ -549,62 +571,86 @@ Required. Added in Windows 10, version 1709. This node contains a list of LocURI
This syntax represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedpfxcerts"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedPFXCerts**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedscepcerts"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedSCEPCerts**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-timeoutuntilsyncfailure"></a>**Provider/*ProviderID*/FirstSyncStatus/TimeOutUntilSyncFailure**
Required. Added in Windows 10, version 1709. This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day).
Required. Added in Windows 10, version 1709. This node determines how long we'll poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day).
Supported operations are Get and Replace. Value type is integer.
Supported operations are Get and Replace.
Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-serverhasfinishedprovisioning"></a>**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning**
Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished configuring the device. It was added so that the server can “change its mind" about what it needs to configure on the device. When this node is set, many other DM Client nodes can't be changed. If this node isn't True, the UX will consider the configuration a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
Supported operations are Get and Replace. Value type is boolean.
Supported operations are Get and Replace.
Value type is boolean.
<a href="" id="provider-providerid-firstsyncstatus-issyncdone"></a>**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**
Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully configured. `Set` triggers the UX to override whatever state it's in, and tell the user that the device is configured. It can't be set from True to False (it won't change its mind if the sync is done), and it can't be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is boolean.
Supported operations are Get and Replace.
Value type is boolean.
<a href="" id="provider-providerid-firstsyncstatus-wasdevicesuccessfullyprovisioned"></a>**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned**
Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully configured. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value can't be changed again. The client will change the value of success or failure and update the node. The server can force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is integer.
Supported operations are Get and Replace.
Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-blockinstatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage**
Required. Device Only. Added in Windows 10, version 1803. This node determines if the MDM progress page is blocking in the Azure AD joined or DJ++ case, and which remediation options are available.
Supported operations are Get and Replace. Value type is integer.
Supported operations are Get and Replace.
Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-allowcollectlogsbutton"></a>**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton**
Required. Added in Windows 10, version 1803. This node decides if the MDM progress page displays the Collect Logs button.
Supported operations are Get and Replace. Value type is bool.
Supported operations are Get and Replace.
Value type is bool.
<a href="" id="provider-providerid-firstsyncstatus-customerrortext"></a>**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText**
Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do if there's an error.
Supported operations are Add, Get, Delete, and Replace. Value type is string.
Supported operations are Add, Get, Delete, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-skipdevicestatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage**
Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
Supported operations are Get and Replace. Value type is bool.
Supported operations are Get and Replace.
Value type is bool.
<a href="" id="provider-providerid-firstsyncstatus-skipuserstatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage**
Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM user progress page skips after Azure AD joined or DJ++ after user login.
Supported operations are Get and Replace. Value type is bool.
Supported operations are Get and Replace.
Value type is bool.
<a href="" id="provider-providerid-enhancedapplayersecurity"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity**
Required node. Added in Windows 10, version 1709.
@ -614,22 +660,30 @@ Supported operation is Get.
<a href="" id="provider-providerid-enhancedapplayersecurity-securitymode"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/SecurityMode**
Required. Added in Windows 10, version 1709. This node specifies how the client will do the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
<a href="" id="provider-providerid-enhancedapplayersecurity-usecertifrevocationcheckoffline"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline**
Required. Added in Windows 10, version 1709. When this node is set, it tells the client to use the certificate even when the client can't check the certificate's revocation status because the device is offline. The default value is set.
Supported operations are Add, Get, Replace, and Delete. Value type is boolean.
Supported operations are Add, Get, Replace, and Delete.
Value type is boolean.
<a href="" id="provider-providerid-enhancedapplayersecurity-cert0"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert0**
Required. Added in Windows 10, version 1709. The node contains the primary certificate - the public key to use.
Supported operations are Add, Get, Replace, and Delete. Value type is string.
Supported operations are Add, Get, Replace, and Delete.
Value type is string.
<a href="" id="provider-providerid-enhancedapplayersecurity-cert1"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert1**
Required. Added in Windows 10, version 1709. The node contains the secondary certificate - the public key to use.
Supported operations are Add, Get, Replace, and Delete. Value type is string.
Supported operations are Add, Get, Replace, and Delete.
Value type is string.
<a href="" id="provider-providerid-unenroll"></a>**Provider/*ProviderID*/Unenroll**
Required. The node accepts unenrollment requests using the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `<Data>` tag under the `<Item>` element. Scope is permanent.
@ -658,5 +712,4 @@ The following SyncML shows how to remotely unenroll the device. This command sho
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

62
windows/client-management/mdm/dmsessionactions-csp.md
View File

@ -13,10 +13,19 @@ manager: dansimp
# DMSessionActions CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DMSessionActions configuration service provider (CSP) is used to manage:
- the number of sessions the client skips if the device is in a low-power state
- the number of sessions the client skips if the device is in a low-power state.
- which CSP nodes should send an alert back to the server if there were any changes.
This CSP was added in Windows 10, version 1703.
@ -62,42 +71,59 @@ DMSessionActions
------------MaxSkippedSessionsInLowPowerState
------------MaxTimeSessionsSkippedInLowPowerState
```
<a href="" id="vendor-msft-dmsessionactions"></a>**./Device/Vendor/MSFT/DMSessionActions or ./User/Vendor/MSFT/DMSessionActions**
<p>Defines the root node for the DMSessionActions configuration service provider.</p>
Defines the root node for the DMSessionActions configuration service provider.
<a href="" id="providerid"></a>***ProviderID***
<p>Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache. </p>
Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.
<p>Scope is dynamic. Supported operations are Get, Add, and Delete.</p>
Scope is dynamic. Supported operations are Get, Add, and Delete.
<a href="" id="checkinalertconfiguration"></a>***ProviderID*/CheckinAlertConfiguration**
<p>Node for the custom configuration of alerts to be sent during MDM sync session.</p>
Node for the custom configuration of alerts to be sent during MDM sync session.
<a href="" id="nodes"></a>***ProviderID*/CheckinAlertConfiguration/Nodes**
<p>Required. Root node for URIs to be queried. Scope is dynamic.</p>
Required. Root node for URIs to be queried. Scope is dynamic.
<p>Supported operation is Get.</p>
Supported operation is Get.
<a href="" id="nodeid"></a>***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID***
<p>Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.</p>
Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.
<p>Supported operations are Get, Add, and Delete.</p>
Supported operations are Get, Add, and Delete.
<a href="" id="nodeuri"></a>***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID*/NodeURI**
<p>Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.
Value type is string.
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="alertdata"></a>**AlertData**
<p>Node to query the custom alert per server configuration</p>
<p>Value type is string. Supported operation is Get.</p>
Node to query the custom alert per server configuration
Value type is string.
Supported operation is Get.
<a href="" id="powersettings"></a>**PowerSettings**
<p>Node for power-related configurations</p>
Node for power-related configurations.
<a href="" id="maxskippedsessionsinlowpowerstate"></a>**PowerSettings/MaxSkippedSessionsInLowPowerState**
<p>Maximum number of continuous skipped sync sessions when the device is in low-power state.</p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
Maximum number of continuous skipped sync sessions when the device is in low-power state.
Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="maxtimesessionsskippedinlowpowerstate"></a>**PowerSettings/MaxTimeSessionsSkippedInLowPowerState**
<p>Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state. </p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.
Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

90
windows/client-management/mdm/dynamicmanagement-csp.md
View File

@ -14,7 +14,17 @@ ms.collection: highpri
# DynamicManagement CSP
Windows 10 allows you to manage devices differently depending on location, network, or time.  In Windows 10, version 1703 the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device cant reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
Windows 10 or Windows 11 allows you to manage devices differently depending on location, network, or time.  Added in Windows 10, version 1703, the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device cant reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
This CSP was added in Windows 10, version 1703.
@ -33,13 +43,18 @@ DynamicManagement
------------Altitude
----AlertsEnabled
```
<a href="" id="dynamicmanagement"></a>**DynamicManagement**
<p>The root node for the DynamicManagement configuration service provider.</p>
The root node for the DynamicManagement configuration service provider.
<a href="" id="notificationsenabled"></a>**NotificationsEnabled**
<p>Boolean value for sending notification to the user of a context change.</p>
<p>Default value is False. Supported operations are Get and Replace.</p>
<p>Example to turn on NotificationsEnabled:</p>
Boolean value for sending notification to the user of a context change.
Default value is False.
Supported operations are Get and Replace.
Example to turn on NotificationsEnabled:
```xml
<Replace>
@ -56,45 +71,64 @@ DynamicManagement
</Item>
</Replace>
```
<a href="" id="activelist"></a>**ActiveList**
<p>A string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000..</p>
<p>Supported operation is Get.</p>
A string containing the list of all active ContextIDs on the device. Delimiter is unicode character 0xF000.
Supported operation is Get.
<a href="" id="contexts"></a>**Contexts**
<p>Node for context information.</p>
<p>Supported operation is Get.</p>
Node for context information.
Supported operation is Get.
<a href="" id="contextid"></a>***ContextID***
<p>Node created by the server to define a context. Maximum number of characters allowed is 38.</p>
<p>Supported operations are Add, Get, and Delete.</p>
Node created by the server to define a context. Maximum number of characters allowed is 38.
Supported operations are Add, Get, and Delete.
<a href="" id="signaldefinition"></a>**SignalDefinition**
<p>Signal Definition XML.</p>
<p>Value type is string. Supported operations are Add, Get, Delete, and Replace.</p>
Signal Definition XML.
Value type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="settingspack"></a>**SettingsPack**
<p>Settings that get applied when the Context is active.</p>
<p>Value type is string. Supported operations are Add, Get, Delete, and Replace.</p>
Settings that get applied when the Context is active.
Value type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="settingspackresponse"></a>**SettingsPackResponse**
<p>Response from applying a Settings Pack that contains information on each individual action.</p>
<p>Value type is string. Supported operation is Get.</p>
Response from applying a Settings Pack that contains information on each individual action.
Value type is string.
Supported operation is Get.
<a href="" id="contextstatus"></a>**ContextStatus**
<p>Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.</p>
<p>Value type is integer. Supported operation is Get.</p>
Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly is failed.
Value type is integer.
Supported operation is Get.
<a href="" id="altitude"></a>**Altitude**
<p>A value that determines how to handle conflict resolution of applying multiple contexts on the device. This value is required and must be distinct of other priorities.</p>
<p>Value type is integer. Supported operations are Add, Get, Delete, and Replace.</p>
A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.
Value type is integer.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="alertsenabled"></a>**AlertsEnabled**
<p>A Boolean value for sending an alert to the server when a context fails.</p>
<p>Supported operations are Get and Replace.</p>
A Boolean value for sending an alert to the server when a context fails.
Supported operations are Get and Replace.
## Examples
Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100-meters radius of the specified latitude/longitude
Disable Cortana based on Geo location and time, from 9am-5pm, when in the 100-meters radius of the specified latitude/longitude
```xml
<Replace>
@ -203,7 +237,7 @@ Disable camera using network trigger with time trigger, from 9-5, when ip4 gatew
</Replace>
```
Delete a context
Delete a context:
```xml
<Delete>
@ -216,7 +250,7 @@ Delete a context
</Delete>
```
Get ContextStatus and SignalDefinition from a specific context
Get ContextStatus and SignalDefinition from a specific context:
```xml
<Get>
@ -236,3 +270,7 @@ Get ContextStatus and SignalDefinition from a specific context
</Item>
</Get>
```
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

131
windows/client-management/mdm/email2-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 06/26/2017
# EMAIL2 CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts.
@ -81,9 +90,8 @@ Supported operations are Get, Add, and Delete.
The braces {} around the GUID are required in the EMAIL2 configuration service provider.
- For OMA Client Provisioning, the braces can be sent literally. For example, `<characteristic type="{C556E16F-56C4-4edb-9C64-D9469EE1FBE0}"/>`.
- For OMA DM, the braces must be sent using ASCII values of 0x7B and 0x7D respectively. For example, `<Target><LocURI>./Vendor/MSFT/EMAIL2/0x7BC556E16F-56C4-4edb-9C64-D9469EE1FBE0x7D</LocURI></Target>`
- For OMA Client Provisioning, the braces can be sent literally. For example, `<characteristic type="{C556E16F-56C4-4edb-9C64-D9469EE1FBE0}"/>`
- For OMA DM, the braces must be sent using ASCII values of 0x7B and 0x7D respectively. For example, `<Target><LocURI>./Vendor/MSFT/EMAIL2/0x7BC556E16F-56C4-4edb-9C64-D9469EE1FBE0x7D</LocURI></Target>`
<a href="" id="accounticon"></a>**ACCOUNTICON**
Optional. Returns the location of the icon associated with the account.
@ -99,9 +107,8 @@ Supported operations are Get, Add, Replace, and Delete.
Valid values are:
- Email: normal email
- VVM: visual voice mail
- Email: Normal email
- VVM: Visual voice mail
<a href="" id="authname"></a>**AUTHNAME**
Required. Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name).
@ -113,16 +120,14 @@ Optional. Character string that specifies whether the outgoing server requires a
Supported operations are Get, Add, Replace, and Delete.
Value options:
Value options are:
- 0 - Server authentication isn't required.
- 1 - Server authentication is required.
- 0 - Server authentication isn't required.
- 1 - Server authentication is required.
> [!NOTE]
> If this value isn't specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED.
 
<a href="" id="authsecret"></a>**AUTHSECRET**
Optional. Character string that specifies the user's password. The same password is used for SMTP authentication.
@ -140,18 +145,15 @@ Supported operations are Get, Add, Replace, and Delete.
Value options:
- -1: Specifies that all email currently on the server should be downloaded.
- 7: Specifies that seven days worth of email should be downloaded.
- 14: Specifies that 14 days worth of email should be downloaded.
- 30: Specifies that 30 days worth of email should be downloaded.
- -1: Specifies that all email currently on the server should be downloaded.
- 7: Specifies that seven days worth of email should be downloaded.
- 14: Specifies that 14 days worth of email should be downloaded.
- 30: Specifies that 30 days worth of email should be downloaded.
<a href="" id="inserver"></a>**INSERVER**
Required. Character string that specifies the name of the incoming server name and port number. This string is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is:
- server name:port number
- server name:port number
Supported operations are Get, Add, and Replace.
@ -162,20 +164,16 @@ Supported operations are Get, Add, Replace, and Delete.
Value options:
- 0 - Email updates must be performed manually.
- 15 (default) - Wait for 15 minutes between updates.
- 30 - Wait for 30 minutes between updates.
- 60 - Wait for 60 minutes between updates.
- 120 - Wait for 120 minutes between updates.
- 0 - Email updates must be performed manually
- 15 (default) - Wait for 15 minutes between updates
- 30 - Wait for 30 minutes between updates
- 60 - Wait for 60 minutes between updates
- 120 - Wait for 120 minutes between updates.
<a href="" id="keepmax"></a>**KEEPMAX**
Optional. Specifies the maximum size for a message attachment. Attachments beyond this size will not be downloaded but it will remain on the server. The message itself will be downloaded. This value can be set only for IMAP4 accounts.
The limit is specified in KB
The limit is specified in KB.
Value options are 0, 25, 50, 125, and 250.
@ -191,7 +189,7 @@ Supported operations are Get, Add, Replace, and Delete.
<a href="" id="outserver"></a>**OUTSERVER**
Required. Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is:
- server name:port number
- server name:port number
Supported operations are Get, Add, Delete, and Replace.
@ -208,8 +206,6 @@ Supported operations are Get, Add, Replace, and Delete.
> [!NOTE]
> The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
 
<a href="" id="servicetype"></a>**SERVICETYPE**
Required. Character string that specifies the type of email service to create or edit (for example, "IMAP4" or "POP3").
@ -217,8 +213,6 @@ Supported operations are Get, Add, Replace, and Delete.
> **Note**   The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
 
<a href="" id="retrieve"></a>**RETRIEVE**
Optional. Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated.
@ -227,10 +221,10 @@ Value options are 512, 1024, 2048, 5120, 20480, and 51200.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="serverdeleteaction"></a>**SERVERDELETEACTION**
Optional. Character string that specifies how message is deleted on server. Value options:
Optional. Character string that specifies how message is deleted on server. Value options are:
- 1 - delete message on the server
- 2 - keep the message on the server (delete to the Trash folder).
- 1 - Delete message on the server.
- 2 - Keep the message on the server (delete to the Trash folder).
Any other value results in default action, which depends on the transport.
@ -244,19 +238,19 @@ Value type is string. Supported operations are Get, Add, Replace, and Delete.
<a href="" id="syncingcontenttypes"></a>**SYNCINGCONTENTTYPES**
Required. Specifies a bitmask for which content types are supported for syncing, like Mail, Contacts, and Calendar.
- No data (0x0)
- Contacts (0x1)
- Mail (0x2)
- Appointments (0x4)
- Tasks (0x8)
- Notes (0x10)
- Feeds (0x60)
- Network Photo (0x180)
- Group and room (0x200)
- Chat (0x400)
- Email Recipient Email (0x800)
- Server Link (0x1000)
- All items (0xffffffff)
- No data (0x0)
- Contacts (0x1)
- Mail (0x2)
- Appointments (0x4)
- Tasks (0x8)
- Notes (0x10)
- Feeds (0x60)
- Network Photo (0x180)
- Group and room (0x200)
- Chat (0x400)
- Email Recipient Email (0x800)
- Server Link (0x1000)
- All items (0xffffffff)
Supported operations are Get, Add, Replace, and Delete.
@ -322,10 +316,10 @@ Optional. Character string that specifies if the incoming email server requires
Supported operations are Get, Add, Replace, and Delete.
Value options:
Value options are:
- 0 - SSL isn't required.
- 1 - SSL is required.
- 0 - SSL isn't required.
- 1 - SSL is required.
<a href="" id="tagprops-812c000b"></a>**TAGPROPS/812C000B**
Optional. Character string that specifies if the outgoing email server requires SSL.
@ -334,37 +328,28 @@ Supported operations are Get and Replace.
Value options:
- 0 - SSL isn't required.
- 1 - SSL is required.
- 0 - SSL isn't required.
- 1 - SSL is required.
## Remarks
When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted. All messages and other properties that the transport (like Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it's left out in the \<LocURI>\</LocURI\> block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
- The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set.
- If some of the outgoing server credentials parameters are present, then the EMAIL2 Configuration Service Provider will be considered in error.
- Account details cannot be queried unless the account GUID is known. Currently, there's no way to perform a top-level query for account GUIDs.
- The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set.
- If some of the outgoing server credentials parameters are present, then the EMAIL2 Configuration Service Provider will be considered in error.
- Account details can't be queried unless the account GUID is known. Currently, there's no way to perform a top-level query for account GUIDs.
If the connection to the mail server is initiated with deferred SSL, the mail server can send STARTTLS as a server capability and TLS will be enabled. The following steps show how to enable TLS.
1. The device attempts to connect to the mail server using SSL.
2. If the SSL connection fails, the device attempts to connect using deferred SSL.
3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device doesn't attempt another connection.
4. If the user didn't select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection.
5. If the connection succeeds using any of the encryption protocols, the device requests the server capabilities.
6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, then the device enables TLS. TLS isn't enabled on connections using SSL or non-SSL.
1. The device attempts to connect to the mail server using SSL
2. If the SSL connection fails, the device attempts to connect using deferred SSL
3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device doesn't attempt another connection
4. If the user didn't select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection
5. If the connection succeeds using any of the encryption protocols, the device requests the server capabilities.
6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, then the device enables TLS. TLS isn't enabled on connections using SSL or non-SSL.
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

34
windows/deployment/usmt/usmt-what-does-usmt-migrate.md
View File

@ -16,18 +16,6 @@ ms.topic: article
# What does USMT migrate?
## In this topic
- [Default migration scripts](#bkmk-defaultmigscripts)
- [User Data](#bkmk-3)
- [Operating-system components](#bkmk-4)
- [Supported applications](#bkmk-2)
- [What USMT does not migrate](#no)
## <a href="" id="bkmk-defaultmigscripts"></a>Default migration scripts
The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts:
@ -106,7 +94,7 @@ The following components are migrated by default using the manifest files:
- Fonts
- Group membership. USMT migrates users group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then clicking **Manage**. When running an offline migration, the use of a **&lt;ProfileControl&gt;** section in the Config.xml file is required.
- Group membership. USMT migrates users group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then selecting **Manage**. When running an offline migration, the use of a **&lt;ProfileControl&gt;** section in the Config.xml file is required.
- \*Windows Internet Explorer® settings
@ -138,17 +126,17 @@ The following components are migrated by default using the manifest files:
- Windows Rights Management
\* These settings are not available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md).
\* These settings aren't available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md).
> [!IMPORTANT]
> This list may not be complete. There may be additional components that are migrated.
> [!NOTE]
> Some settings, such as fonts, are not applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool.
> Some settings, such as fonts, aren't applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool.
## <a href="" id="bkmk-2"></a>Supported applications
Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers.
Even though it's not required for all applications, it's good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that migrated settings aren't overwritten by the application installers.
> [!NOTE]
>
@ -204,9 +192,9 @@ When you specify the MigApp.xml file, USMT migrates the settings for the followi
|Yahoo Messenger|9|
|Microsoft Zune™ Software|3|
## <a href="" id="no"></a>What USMT does not migrate
## <a href="" id="no"></a>What USMT doesn't migrate
The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](usmt-common-issues.md).
The following is a list of the settings that USMT doesn't migrate. If you are having a problem that isn't listed here, see [Common Issues](usmt-common-issues.md).
### Application settings
@ -218,7 +206,7 @@ USMT does not migrate the following application settings:
- Microsoft Project settings, when migrating from Office 2003 to Office 2007 system.
- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application will not start. You may encounter problems when:
- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application won't start. You may encounter problems when:
- You change the default installation location on 32-bit destination computers.
@ -230,7 +218,7 @@ USMT does not migrate the following operating-system settings.
- Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files.
- Permissions for shared folders. After migration, you must manually re-share any folders that were shared on the source computer.
- Permissions for shared folders. After migration, you must manually reshare any folders that were shared on the source computer.
- Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer.
@ -240,7 +228,7 @@ USMT does not migrate the following operating-system settings.
You should also note the following:
- You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as administrator**.
- You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you don't run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, select **Start**, **All Programs**, **Accessories**, right-click **Command Prompt**, and then select **Run as administrator**.
- You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md).
@ -248,6 +236,10 @@ You should also note the following:
Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](./usmt-common-issues.md#usmt-does-not-migrate-the-start-layout).
### User profiles from Active Directory to Azure Active Directory
USMT doesn't support migrating user profiles from Active Directory to Azure Active Directory.
## Related topics
[Plan your migration](usmt-plan-your-migration.md)

154
windows/hub/doc-test.md Normal file
View File

@ -0,0 +1,154 @@
---
title: Doc team test
description: A test article for the doc team's use.
ms.date: 05/10/2022
ms.prod: windows
ms.technology: windows
ms.topic: reference
ms.localizationpriority: null
ROBOTS: NOINDEX
author: aczechowski
ms.author: aaroncz
ms.reviewer: mstewart
manager: dougeby
---
# Doc team test
This article is for testing purposes only.
> [!NOTE]
> For more markdown examples and tips, see the **template.md** file at the root of the repository. Including examples of links and images.
## Basic Markdown and GFM
All basic and Github-flavored markdown is supported. For more information, see:
- [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax)
- [Github-flavored markdown (GFM) documentation](https://guides.github.com/features/mastering-markdown)
## Headings
Examples of first and second-level headings are above.
There **must** be only one first level heading in your article, which will be displayed as the on-page title.
Second-level headings will generate the on-page TOC that appears in the "In this article" section underneath the on-page title.
### Third-level heading (`###`)
#### Fourth-level heading (`####`)
##### Fifth-level heading (`#####`)
## Text styling
_Italics_ (`_`)
**Bold** (`**`)
~~Strikethrough~~ (`~~`)
## Lists
### Ordered lists
1. This
1. Is
1. An
1. Ordered
1. List
#### Ordered list with an embedded list
1. Here
1. Comes
1. An
1. Embedded
1. Scarlett
1. Professor Plum
1. Ordered
1. List
### Unordered Lists
- This
- Is
- A
- Bulleted
- List
#### Unordered list with an embedded list
- This
- Bulleted
- List
- Peacock
- Green
- Contains
- Other
1. Colonel Mustard
1. Yellow
1. gold
1. White
1. cream
1. silver
- Lists
## Horizontal rule
---
## Tables
| Tables | Are | Cool |
|---------------------|:-------------:|------:|
| Column 3 is | Right-aligned | $1600 |
| Column 2 is | Centered | $12 |
| Column 1 is default | Left-aligned | $1 |
## Code
### Code block
```json
{
"aggregator": {
"batchSize": 1000,
flushTimeout": "00:00:30"
}
}
```
### In-line code
This example is for `in-line code`.
## Blockquotes
> The drought had lasted now for ten million years, and the reign of the terrible lizards had long since ended. Here on the Equator, in the continent which would one day be known as Africa, the battle for existence had reached a new climax of ferocity, and the victor was not yet in sight. In this barren and desiccated land, only the small or the swift or the fierce could flourish, or even hope to survive.
## Alerts
### Note
> [!NOTE]
> This alert is a NOTE
### Warning
> [!WARNING]
> This alert is a WARNING
### Tip
> [!TIP]
> This alert is a TIP
### Caution
> [!CAUTION]
> This alert is a CAUTION
### Important
> [!IMPORTANT]
> This alert is a IMPORTANT

2
windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
View File

@ -30,7 +30,7 @@ This article depicts the BitLocker deployment comparison chart.
| Requirements |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM) |
|---------|---------|---------|---------|
|Minimum client operating system version |Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, and Windows 10 IoT |
|Minimum client operating system version |Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 |
|Supported Windows SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
|Minimum Windows version |1909 | None | None |
|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined |

50
windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
View File

@ -1,6 +1,6 @@
---
title: Overview of BitLocker Device Encryption in Windows
description: This topic provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows.
description: This article provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows.
ms.prod: m365-security
ms.mktglfcycl: explore
ms.sitesec: library
@ -26,28 +26,28 @@ ms.custom: bitlocker
- Windows 11
- Windows Server 2016 and above
This topic explains how BitLocker Device Encryption can help protect data on devices running Windows.
For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
This article explains how BitLocker Device Encryption can help protect data on devices running Windows.
For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md).
When users travel, their organizations confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and by providing new strategies.
Table 2 lists specific data-protection concerns and how they are addressed in Windows 11, Windows 10, and Windows 7.
Table 2 lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7.
**Table 2. Data Protection in Windows 11, Windows 10, and Windows 7**
| Windows 7 | Windows 11 and Windows 10 |
|---|---|
| When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.<br><br>Network Unlock allows PCs to start automatically when connected to the internal network. |
| When BitLocker is used with a PIN to protect startup, PCs such as kiosks can't be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.<br><br>Network Unlock allows PCs to start automatically when connected to the internal network. |
| When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. |
| There is no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
| There's no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
| Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. |
| Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt removable data drives in seconds. |
| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when he or she loses the PIN or password. |
| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when you lose the PIN or password. |
| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
## Prepare for drive and file encryption
The best type of security measures are transparent to the user during implementation and use. Every time there is a possible delay or difficulty because of a security feature, there is strong likelihood that users will try to bypass security. This situation is especially true for data protection, and thats a scenario that organizations need to avoid.
The best type of security measures is transparent to the user during implementation and use. Every time there's a possible delay or difficulty because of a security feature, there's strong likelihood that users will try to bypass security. This situation is especially true for data protection, and thats a scenario that organizations need to avoid.
Whether youre planning to encrypt entire volumes, removable devices, or individual files, Windows 11 and Windows 10 meet your needs by providing streamlined, usable solutions. In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth.
### TPM pre-provisioning
@ -59,13 +59,13 @@ In Windows 7, preparing the TPM for use offered a couple of challenges:
Basically, it was a big hassle. If IT staff were provisioning new PCs, they could handle all of this, but if you wanted to add BitLocker to devices that were already in users hands, those users would have struggled with the technical challenges and would either call IT for support or simply leave BitLocker disabled.
Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM. There is no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM. There's no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
## Deploy hard drive encryption
BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 11 and Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Preinstallation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows is not yet installed), it takes only a few seconds to enable BitLocker.
BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 11 and Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Pre-installation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows isn't yet installed), it takes only a few seconds to enable BitLocker.
With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which significantly delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10.
With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10.
## BitLocker Device Encryption
@ -76,8 +76,8 @@ Microsoft expects that most devices in the future will pass the testing requirem
Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
* When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
* If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
* If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
* If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
* If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
* Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.
Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
@ -92,9 +92,9 @@ Administrators can manage domain-joined devices that have BitLocker Device Encry
## Used Disk Space Only encryption
BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused.
BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that didn't have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused.
But why encrypt a new drive when you can simply encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 11 and Windows 10 let users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent.
Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they are overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it is written to the disk.
Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk.
## Encrypted hard drive support
@ -105,22 +105,22 @@ For more information about encrypted hard drives, see [Encrypted Hard Drive](../
## Preboot information protection
An effective implementation of information protection, like most security controls, considers usability as well as security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
It is crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection should not be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows logon. Challenging users for input more than once should be avoided.
Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they are not as user-friendly; depending on the devices configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
It's crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign in. Challenging users for input more than once should be avoided.
Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
## Manage passwords and PINs
When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows logon, which makes it virtually impossible for the attacker to access or modify user data and system files.
When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign in, which makes it virtually impossible for the attacker to access or modify user data and system files.
Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password on a regular basis.
Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices do not require a PIN for startup: They are designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly.
Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md).
## Configure Network Unlock
Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs should not leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary.
Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary.
Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC is not connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled).
Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC isn't connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled).
Network Unlock requires the following infrastructure:
* Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP)
@ -143,11 +143,11 @@ Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administrat
* Enforces the BitLocker encryption policy options that you set for your enterprise.
* Integrates with existing management tools, such as Microsoft Endpoint Configuration Manager.
* Offers an IT-customizable recovery user experience.
* Supports Windows 10.
* Supports Windows 11 and Windows 10.
> [!IMPORTANT]
> Enterprises could use MBAM to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ended in July 2019, or they could receive extended support until April 2026.
Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more details, see [Features in Configuration Manager technical preview version 1909](/mem/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker).
Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more information, see [Features in Configuration Manager technical preview version 1909](/mem/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker).
Enterprises not using Configuration Manager can use the built-in features of Azure AD and Microsoft Intune in Microsoft Endpoint Manager for administration and monitoring. For more details, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).
Enterprises not using Configuration Manager can use the built-in features of Azure AD and Microsoft Intune in Microsoft Endpoint Manager for administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).