diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index fdfb90c836..715e8578ea 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -12,29 +12,94 @@ ms.prod: w10 ms.technology: windows author: vinaypamnani-msft ms.localizationpriority: medium -ms.date: 10/20/2020 +ms.date: 09/16/2022 --- # What's new in mobile device enrollment and management -This article provides information about what's new in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 and Windows 11 devices. This article also provides details about the breaking changes and known issues and frequently asked questions. +This article provides information about what's new in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 and Windows 11 devices. This article also provides details about the breaking changes and known issues and frequently asked questions. -For details about Microsoft mobile device management protocols for Windows 10 and Windows 11, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +For details about Microsoft mobile device management protocols for Windows 10 and Windows 11, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +## What's new in MDM for Windows 11, version 22H2 -## What’s new in MDM for Windows 11, version 21H2 +| New or updated article | Description | +|--|--| +| [DeviceStatus](devicestatus-csp.md) | Added the following node:
  • MDMClientCertAttestation | +| [eUUICs](euiccs-csp.md) | Added the following node:
  • IsDiscoveryServer | +| [PersonalDataEncryption](personaldataencryption-csp.md) | New CSP | +| [Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
  • Accounts/RestrictToEnterpriseDeviceAuthenticationOnly
  • DesktopAppInstaller/EnableAdditionalSources
  • DesktopAppInstaller/EnableAllowedSources
  • DesktopAppInstaller/EnableAppInstaller
  • DesktopAppInstaller/EnableDefaultSource
  • DesktopAppInstaller/EnableExperimentalFeatures
  • DesktopAppInstaller/EnableHashOverride
  • DesktopAppInstaller/EnableLocalManifestFiles
  • DesktopAppInstaller/EnableMicrosoftStoreSource
  • DesktopAppInstaller/EnableMSAppInstallerProtocol
  • DesktopAppInstaller/EnableSettings
  • DesktopAppInstaller/SourceAutoUpdateInterval
  • Education/EnableEduThemes
  • Experience/AllowSpotlightCollectionOnDesktop
  • FileExplorer/DisableGraphRecentItems
  • HumanPresence/ForceInstantDim
  • InternetExplorer/EnableGlobalWindowListInIEMode
  • InternetExplorer/HideIEAppRetirementNotification
  • InternetExplorer/ResetZoomForDialogInIEMode
  • LocalSecurityAuthority/AllowCustomSSPsAPs
  • LocalSecurityAuthority/ConfigureLsaProtectedProcess
  • MixedReality/AllowCaptivePortalBeforeLogon
  • MixedReality/AllowLaunchUriInSingleAppKiosk
  • MixedReality/AutoLogonUser
  • MixedReality/ConfigureMovingPlatform
  • MixedReality/ConfigureNtpClient
  • MixedReality/ManualDownDirectionDisabled
  • MixedReality/NtpClientEnabled
  • MixedReality/SkipCalibrationDuringSetup
  • MixedReality/SkipTrainingDuringSetup
  • NetworkListManager/AllowedTlsAuthenticationEndpoints
  • NetworkListManager/ConfiguredTLSAuthenticationNetworkName
  • Printers/ConfigureCopyFilesPolicy
  • Printers/ConfigureDriverValidationLevel
  • Printers/ConfigureIppPageCountsPolicy
  • Printers/ConfigureRedirectionGuard
  • Printers/ConfigureRpcConnectionPolicy
  • Printers/ConfigureRpcListenerPolicy
  • Printers/ConfigureRpcTcpPort
  • Printers/ManageDriverExclusionList
  • Printers/RestrictDriverInstallationToAdministrators
  • RemoteDesktopServices/DoNotAllowWebAuthnRedirection
  • Search/AllowSearchHighlights
  • Search/DisableSearch
  • SharedPC/EnabledSharedPCModeWithOneDriveSync
  • Start/DisableControlCenter
  • Start/DisableEditingQuickSettings
  • Start/HideRecommendedSection
  • Start/HideTaskViewButton
  • Start/SimplifyQuickSettings
  • Stickers/EnableStickers
  • Textinput/allowimenetworkaccess
  • Update/NoUpdateNotificationDuringActiveHours
  • WebThreatDefense/EnableService
  • WebThreatDefense/NotifyMalicious
  • WebThreatDefense/NotifyPasswordReuse
  • WebThreatDefense/NotifyUnsafeApp
  • Windowslogon/EnableMPRNotifications | +| [SecureAssessment](secureassessment-csp.md) | Added the following node:
  • Asssessments | +| [WindowsAutopilot](windowsautopilot-csp.md) | Added the following node:
  • HardwareMismatchRemediationData | + +## What's new in MDM for Windows 11, version 21H2 + +| New or updated article | Description | +|--|--| +| [Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
  • Kerberos/PKInitHashAlgorithmConfiguration
  • Kerberos/PKInitHashAlgorithmSHA1
  • Kerberos/PKInitHashAlgorithmSHA256
  • Kerberos/PKInitHashAlgorithmSHA384
  • Kerberos/PKInitHashAlgorithmSHA512
  • NewsAndInterests/AllowNewsAndInterests
  • Experiences/ConfigureChatIcon
  • Start/ConfigureStartPins
  • Virtualizationbasedtechnology/HypervisorEnforcedCodeIntegrity
  • Virtualizationbasedtechnology/RequireUEFIMemoryAttributesTable | +| [DMClient CSP](dmclient-csp.md) | Updated the description of the following nodes:
  • Provider/ProviderID/ConfigLock/Lock
  • Provider/ProviderID/ConfigLock/UnlockDuration
  • Provider/ProviderID/ConfigLock/SecuredCore | +| [PrinterProvisioning](universalprint-csp.md) | New CSP | + +## What's new in MDM for Windows 10, version 20H2 |New or updated article|Description| |-----|-----| -| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 11, version 21H2:
    - NewsAndInterests/AllowNewsAndInterests
    - Experiences/ConfigureChatIcon
    - Start/ConfigureStartPins
    - Virtualizationbasedtechnology/HypervisorEnforcedCodeIntegrity
    - Virtualizationbasedtechnology/RequireUEFIMemoryAttributesTable | -| [DMClient CSP](dmclient-csp.md) | Updated the description of the following node:
    - Provider/ProviderID/ConfigLock/Lock
    - Provider/ProviderID/ConfigLock/UnlockDuration
    - Provider/ProviderID/ConfigLock/SecuredCore | +| [Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
  • Experience/DisableCloudOptimizedContent
  • LocalUsersAndGroups/Configure
  • MixedReality/AADGroupMembershipCacheValidityInDays
  • MixedReality/BrightnessButtonDisabled
  • MixedReality/FallbackDiagnostics
  • MixedReality/MicrophoneDisabled
  • MixedReality/VolumeButtonDisabled
  • Multitasking/BrowserAltTabBlowout| +| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
  • Properties/SleepMode | +| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:
  • Settings/AllowWindowsDefenderApplicationGuard | +## What's new in MDM for Windows 10, version 2004 + +| New or updated article | Description | +|-----|-----| +| [Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
  • ApplicationManagement/BlockNonAdminUserInstall
  • Bluetooth/SetMinimumEncryptionKeySize
  • DeliveryOptimization/DOCacheHostSource
  • DeliveryOptimization/DOMaxBackgroundDownloadBandwidth
  • DeliveryOptimization/DOMaxForegroundDownloadBandwidth
  • Education/AllowGraphingCalculator
  • TextInput/ConfigureJapaneseIMEVersion
  • TextInput/ConfigureSimplifiedChineseIMEVersion
  • TextInput/ConfigureTraditionalChineseIMEVersion

    Updated the following policy in Windows 10, version 2004:
  • DeliveryOptimization/DOCacheHost

    Deprecated the following policies in Windows 10, version 2004:
  • DeliveryOptimization/DOMaxDownloadBandwidth
  • DeliveryOptimization/DOMaxUploadBandwidth
  • DeliveryOptimization/DOPercentageMaxDownloadBandwidth | +| [DevDetail CSP](devdetail-csp.md) | Added the following new node:
  • Ext/Microsoft/DNSComputerName | +| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following node:
  • IsStub | +| [SUPL CSP](supl-csp.md) | Added the following node:
  • FullVersion | + +## What's new in MDM for Windows 10, version 1909 + +| New or updated article | Description | +|-----|-----| +| [BitLocker CSP](bitlocker-csp.md) | Added the following nodes:
  • ConfigureRecoveryPasswordRotation
  • RotateRecoveryPasswords
  • RotateRecoveryPasswordsStatus
  • RotateRecoveryPasswordsRequestID| + +## What's new in MDM for Windows 10, version 1903 + +| New or updated article | Description | +|-----|-----| +|[Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
  • DeliveryOptimization/DODelayCacheServerFallbackBackground
  • DeliveryOptimization/DODelayCacheServerFallbackForeground
  • DeviceHealthMonitoring/AllowDeviceHealthMonitoring
  • DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope
  • DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination
  • DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
  • DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
  • Experience/ShowLockOnUserTile
  • InternetExplorer/AllowEnhancedSuggestionsInAddressBar
  • InternetExplorer/DisableActiveXVersionListAutoDownload
  • InternetExplorer/DisableCompatView
  • InternetExplorer/DisableFeedsBackgroundSync
  • InternetExplorer/DisableGeolocation
  • InternetExplorer/DisableWebAddressAutoComplete
  • InternetExplorer/NewTabDefaultPage
  • Power/EnergySaverBatteryThresholdOnBattery
  • Power/EnergySaverBatteryThresholdPluggedIn
  • Power/SelectLidCloseActionOnBatterybr>
  • Power/SelectLidCloseActionPluggedIn
  • Power/SelectPowerButtonActionOnBattery
  • Power/SelectPowerButtonActionPluggedIn
  • Power/SelectSleepButtonActionOnBattery
  • Power/SelectSleepButtonActionPluggedIn
  • Power/TurnOffHybridSleepOnBattery
  • Power/TurnOffHybridSleepPluggedIn
  • Power/UnattendedSleepTimeoutOnBattery
  • Power/UnattendedSleepTimeoutPluggedIn
  • Privacy/LetAppsActivateWithVoice
  • Privacy/LetAppsActivateWithVoiceAboveLock
  • Search/AllowFindMyFiles
  • ServiceControlManager/SvchostProcessMitigation
  • System/AllowCommercialDataPipelinebr>
  • System/TurnOffFileHistory
  • TimeLanguageSettings/ConfigureTimeZonebr>
  • Troubleshooting/AllowRecommendations
  • Update/AutomaticMaintenanceWakeUp
  • Update/ConfigureDeadlineForFeatureUpdates
  • Update/ConfigureDeadlineForQualityUpdates
  • Update/ConfigureDeadlineGracePeriod
  • WindowsLogon/AllowAutomaticRestartSignOn
  • WindowsLogon/ConfigAutomaticRestartSignOn
  • WindowsLogon/EnableFirstLogonAnimation| +| [Policy CSP - Audit](policy-csp-audit.md) | Added the new Audit policy CSP. | +| [ApplicationControl CSP](applicationcontrol-csp.md) | Added the new CSP. | +| [Defender CSP](defender-csp.md) | Added the following new nodes:
  • Health/TamperProtectionEnabled
  • Health/IsVirtualMachine
  • Configuration
  • Configuration/TamperProtection
  • Configuration/EnableFileHashComputation | +| [DiagnosticLog CSP](diagnosticlog-csp.md)
    [DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903.
    Added the new 1.4 version of the DDF.
    Added the following new nodes:
  • Policy
  • Policy/Channels
  • Policy/Channels/ChannelName
  • Policy/Channels/ChannelName/MaximumFileSize
  • Policy/Channels/ChannelName/SDDL
  • Policy/Channels/ChannelName/ActionWhenFull
  • Policy/Channels/ChannelName/Enabled
  • DiagnosticArchive
  • DiagnosticArchive/ArchiveDefinition
  • DiagnosticArchive/ArchiveResults | +| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | Added the new CSP. | +| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes:
  • SecurityKey
  • SecurityKey/UseSecurityKeyForSignin | + + +## What's new in MDM for Windows 10, version 1809 + +| New or updated article | Description | +|-----|-----| +|[Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
  • ApplicationManagement/LaunchAppAfterLogOn
  • ApplicationManagement/ScheduleForceRestartForUpdateFailures
  • Authentication/EnableFastFirstSignIn (Preview mode only
  • Authentication/EnableWebSignIn (Preview mode only
  • Authentication/PreferredAadTenantDomainName
  • Browser/AllowFullScreenMode
  • Browser/AllowPrelaunch
  • Browser/AllowPrinting
  • Browser/AllowSavingHistory
  • Browser/AllowSideloadingOfExtensions
  • Browser/AllowTabPreloading
  • Browser/AllowWebContentOnNewTabPage
  • Browser/ConfigureFavoritesBar
  • Browser/ConfigureHomeButton
  • Browser/ConfigureKioskMode
  • Browser/ConfigureKioskResetAfterIdleTimeout
  • Browser/ConfigureOpenMicrosoftEdgeWith
  • Browser/ConfigureTelemetryForMicrosoft365Analytics
  • Browser/PreventCertErrorOverrides
  • Browser/SetHomeButtonURL
  • Browser/SetNewTabPageURL
  • Browser/UnlockHomeButton
  • Defender/CheckForSignaturesBeforeRunningScan
  • Defender/DisableCatchupFullScan
  • Defender/DisableCatchupQuickScan
  • Defender/EnableLowCPUPriority
  • Defender/SignatureUpdateFallbackOrder
  • Defender/SignatureUpdateFileSharesSources
  • DeviceGuard/ConfigureSystemGuardLaunch
  • DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
  • DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
  • DeviceInstallation/PreventDeviceMetadataFromNetwork
  • DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
  • DmaGuard/DeviceEnumerationPolicy
  • Experience/AllowClipboardHistory
  • Experience/DoNotSyncBrowserSettings
  • Experience/PreventUsersFromTurningOnBrowserSyncing
  • Kerberos/UPNNameHints
  • Privacy/AllowCrossDeviceClipboard
  • Privacy/DisablePrivacyExperience
  • Privacy/UploadUserActivities
  • Security/RecoveryEnvironmentAuthentication
  • System/AllowDeviceNameInDiagnosticData
  • System/ConfigureMicrosoft365UploadEndpoint
  • System/DisableDeviceDelete
  • System/DisableDiagnosticDataViewer
  • Storage/RemovableDiskDenyWriteAccess
  • TaskManager/AllowEndTask
  • Update/DisableWUfBSafeguards
  • Update/EngagedRestartDeadlineForFeatureUpdates
  • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
  • Update/EngagedRestartTransitionScheduleForFeatureUpdates
  • Update/SetDisablePauseUXAccess
  • Update/SetDisableUXWUAccess
  • WindowsDefenderSecurityCenter/DisableClearTpmButton
  • WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
  • WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
  • WindowsLogon/DontDisplayNetworkSelectionUI | +| [BitLocker CSP](bitlocker-csp.md) | Added a new node AllowStandardUserEncryption.
  • Added support for Windows 10 Pro. | +| [Defender CSP](defender-csp.md) | Added a new node Health/ProductStatus. | +| [DevDetail CSP](devdetail-csp.md) | Added a new node SMBIOSSerialNumber. | +| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node. | +| [Office CSP](office-csp.md) | Added FinalStatus setting. | +| [PassportForWork CSP](passportforwork-csp.md) | Added new settings. | +| [RemoteWipe CSP](remotewipe-csp.md) | Added new settings. | +| [SUPL CSP](supl-csp.md) | Added three new certificate nodes. | +| [TenantLockdown CSP](tenantlockdown-csp.md) | Added new CSP. | +| [Wifi CSP](wifi-csp.md) | Added a new node WifiCost. | +| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Added new settings. | +| [WindowsLicensing CSP](windowslicensing-csp.md) | Added S mode settings and SyncML examples. | +| [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) | New CSP. | ## Breaking changes and known issues -### Get command inside an atomic command isn’t supported +### Get command inside an atomic command isn't supported -In Windows 10 and Windows 11, a Get command inside an atomic command isn't supported. +In Windows 10 and Windows 11, a Get command inside an atomic command isn't supported. ### Apps installed using WMI classes are not removed @@ -42,11 +107,11 @@ Applications installed using WMI classes aren't removed when the MDM account is ### Passing CDATA in SyncML does not work -Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work in Windows 10 and Windows 11. +Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work in Windows 10 and Windows 11. ### SSL settings in IIS server for SCEP must be set to "Ignore" -The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10 and Windows 11. +The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10 and Windows 11. ![ssl settings.](images/ssl-settings.png) @@ -62,7 +127,7 @@ Remote server unenrollment is disabled for mobile devices enrolled via Azure Act ### Certificates causing issues with Wi-Fi and VPN -In Windows 10 and Windows 11, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This dual installation may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We're working to fix this issue. +In Windows 10 and Windows 11, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This dual installation may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We're working to fix this issue. ### Version information for Windows 11 @@ -251,7 +316,7 @@ After the MDM client automatically renews the WNS channel URI, the MDM client wi ### User provisioning failure in Azure Active Directory-joined Windows 10 and Windows 11 devices -In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. +In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. ### Requirements to note for VPN certificates also used for Kerberos Authentication @@ -288,63 +353,6 @@ What data is handled by dmwappushsvc? | It's a component handling the internal w How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.| - -## What’s new in MDM for Windows 10, version 20H2 - -|New or updated article|Description| -|-----|-----| -| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2:
    - [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)
    - [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)
    - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
    - [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
    - [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
    - [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)
    - [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
    - [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) | -| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
    - Properties/SleepMode | -| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:
    - Settings/AllowWindowsDefenderApplicationGuard | - -## What’s new in MDM for Windows 10, version 2004 - -| New or updated article | Description | -|-----|-----| -| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 2004:
    - [ApplicationManagement/BlockNonAdminUserInstall](policy-csp-applicationmanagement.md#applicationmanagement-blocknonadminuserinstall)
    - [Bluetooth/SetMinimumEncryptionKeySize](policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize)
    - [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource)
    - [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth)
    - [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth)
    - [Education/AllowGraphingCalculator](policy-csp-education.md#education-allowgraphingcalculator)
    - [TextInput/ConfigureJapaneseIMEVersion](policy-csp-textinput.md#textinput-configurejapaneseimeversion)
    - [TextInput/ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md#textinput-configuresimplifiedchineseimeversion)
    - [TextInput/ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion)

    Updated the following policy in Windows 10, version 2004:
    - [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)

    Deprecated the following policies in Windows 10, version 2004:
    - [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
    - [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
    - [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) | -| [DevDetail CSP](devdetail-csp.md) | Added the following new node:
    - Ext/Microsoft/DNSComputerName | -| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following new node:
    - IsStub | -| [SUPL CSP](supl-csp.md) | Added the following new node:
    - FullVersion | - -## What’s new in MDM for Windows 10, version 1909 - -| New or updated article | Description | -|-----|-----| -| [BitLocker CSP](bitlocker-csp.md) | Added the following new nodes in Windows 10, version 1909:
    - ConfigureRecoveryPasswordRotation
    - RotateRecoveryPasswords
    - RotateRecoveryPasswordsStatus
    - RotateRecoveryPasswordsRequestID| - -## What’s new in MDM for Windows 10, version 1903 - -| New or updated article | Description | -|-----|-----| -|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 1903:
    - [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
    - [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
    - [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
    - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
    - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
    - [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceinstanceids)
    - [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceinstanceids)
    - [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
    - [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
    - [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
    - [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
    - [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
    - [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
    - [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
    - [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
    - [Power/EnergySaverBatteryThresholdOnBattery](policy-csp-power.md#power-energysaverbatterythresholdonbattery)
    - [Power/EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
    - [Power/SelectLidCloseActionOnBattery](policy-csp-power.md#power-selectlidcloseactiononbattery)
    - [Power/SelectLidCloseActionPluggedIn](policy-csp-power.md#power-selectlidcloseactionpluggedin)
    - [Power/SelectPowerButtonActionOnBattery](policy-csp-power.md#power-selectpowerbuttonactiononbattery)
    - [Power/SelectPowerButtonActionPluggedIn](policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
    - [Power/SelectSleepButtonActionOnBattery](policy-csp-power.md#power-selectsleepbuttonactiononbattery)
    - [Power/SelectSleepButtonActionPluggedIn](policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
    - [Power/TurnOffHybridSleepOnBattery](policy-csp-power.md#power-turnoffhybridsleeponbattery)
    - [Power/TurnOffHybridSleepPluggedIn](policy-csp-power.md#power-turnoffhybridsleeppluggedin)
    - [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
    - [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
    - [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
    - [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
    - [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)
    - [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
    - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
    - [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)
    - [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone)
    - [Troubleshooting/AllowRecommendations](policy-csp-troubleshooting.md#troubleshooting-allowrecommendations)
    - [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)
    - [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
    - [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
    - [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
    - [WindowsLogon/AllowAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
    - [WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
    - [WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)| -| [Policy CSP - Audit](policy-csp-audit.md) | Added the new Audit policy CSP. | -| [ApplicationControl CSP](applicationcontrol-csp.md) | Added the new CSP. | -| [Defender CSP](defender-csp.md) | Added the following new nodes:
    - Health/TamperProtectionEnabled
    - Health/IsVirtualMachine
    - Configuration
    - Configuration/TamperProtection
    - Configuration/EnableFileHashComputation | -| [DiagnosticLog CSP](diagnosticlog-csp.md)
    [DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903.
    Added the new 1.4 version of the DDF.
    Added the following new nodes:
    - Policy
    - Policy/Channels
    - Policy/Channels/ChannelName
    - Policy/Channels/ChannelName/MaximumFileSize
    - Policy/Channels/ChannelName/SDDL
    - Policy/Channels/ChannelName/ActionWhenFull
    - Policy/Channels/ChannelName/Enabled
    - DiagnosticArchive
    - DiagnosticArchive/ArchiveDefinition
    - DiagnosticArchive/ArchiveResults | -| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | Added the new CSP. | -| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes:
    - SecurityKey
    - SecurityKey/UseSecurityKeyForSignin | - - -## What’s new in MDM for Windows 10, version 1809 - -| New or updated article | Description | -|-----|-----| -|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policy settings in Windows 10, version 1809:
    - ApplicationManagement/LaunchAppAfterLogOn
    - ApplicationManagement/ScheduleForceRestartForUpdateFailures
    - Authentication/EnableFastFirstSignIn (Preview mode only)
    - Authentication/EnableWebSignIn (Preview mode only)
    - Authentication/PreferredAadTenantDomainName
    - Browser/AllowFullScreenMode
    - Browser/AllowPrelaunch
    - Browser/AllowPrinting
    - Browser/AllowSavingHistory
    - Browser/AllowSideloadingOfExtensions
    - Browser/AllowTabPreloading
    - Browser/AllowWebContentOnNewTabPage
    - Browser/ConfigureFavoritesBar
    - Browser/ConfigureHomeButton
    - Browser/ConfigureKioskMode
    - Browser/ConfigureKioskResetAfterIdleTimeout
    - Browser/ConfigureOpenMicrosoftEdgeWith
    - Browser/ConfigureTelemetryForMicrosoft365Analytics
    - Browser/PreventCertErrorOverrides
    - Browser/SetHomeButtonURL
    - Browser/SetNewTabPageURL
    - Browser/UnlockHomeButton
    - Defender/CheckForSignaturesBeforeRunningScan
    - Defender/DisableCatchupFullScan
    - Defender/DisableCatchupQuickScan
    - Defender/EnableLowCPUPriority
    - Defender/SignatureUpdateFallbackOrder
    - Defender/SignatureUpdateFileSharesSources
    - DeviceGuard/ConfigureSystemGuardLaunch
    - DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
    - DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
    - DeviceInstallation/PreventDeviceMetadataFromNetwork
    - DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
    - DmaGuard/DeviceEnumerationPolicy
    - Experience/AllowClipboardHistory
    - Experience/DoNotSyncBrowserSettings
    - Experience/PreventUsersFromTurningOnBrowserSyncing
    - Kerberos/UPNNameHints
    - Privacy/AllowCrossDeviceClipboard
    - Privacy/DisablePrivacyExperience
    - Privacy/UploadUserActivities
    - Security/RecoveryEnvironmentAuthentication
    - System/AllowDeviceNameInDiagnosticData
    - System/ConfigureMicrosoft365UploadEndpoint
    - System/DisableDeviceDelete
    - System/DisableDiagnosticDataViewer
    - Storage/RemovableDiskDenyWriteAccess
    - TaskManager/AllowEndTask
    - Update/DisableWUfBSafeguards
    - Update/EngagedRestartDeadlineForFeatureUpdates
    - Update/EngagedRestartSnoozeScheduleForFeatureUpdates
    - Update/EngagedRestartTransitionScheduleForFeatureUpdates
    - Update/SetDisablePauseUXAccess
    - Update/SetDisableUXWUAccess
    - WindowsDefenderSecurityCenter/DisableClearTpmButton
    - WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
    - WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
    - WindowsLogon/DontDisplayNetworkSelectionUI | -| [BitLocker CSP](bitlocker-csp.md) | Added a new node AllowStandardUserEncryption in Windows 10, version 1809. Added support for Windows 10 Pro. | -| [Defender CSP](defender-csp.md) | Added a new node Health/ProductStatus in Windows 10, version 1809. | -| [DevDetail CSP](devdetail-csp.md) | Added a new node SMBIOSSerialNumber in Windows 10, version 1809. | -| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node in Windows 10, version 1809. | -| [Office CSP](office-csp.md) | Added FinalStatus setting in Windows 10, version 1809. | -| [PassportForWork CSP](passportforwork-csp.md) | Added new settings in Windows 10, version 1809. | -| [RemoteWipe CSP](remotewipe-csp.md) | Added new settings in Windows 10, version 1809. | -| [SUPL CSP](supl-csp.md) | Added three new certificate nodes in Windows 10, version 1809. | -| [TenantLockdown CSP](tenantlockdown-csp.md) | Added new CSP in Windows 10, version 1809. | -| [Wifi CSP](wifi-csp.md) | Added a new node WifiCost in Windows 10, version 1809. | -| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Added new settings in Windows 10, version 1809. | -| [WindowsLicensing CSP](windowslicensing-csp.md) | Added S mode settings and SyncML examples in Windows 10, version 1809. | -| [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) | Added new configuration service provider in Windows 10, version 1809. | - - ## Change history for MDM documentation To know what's changed in MDM documentation, see [Change history for MDM documentation](change-history-for-mdm-documentation.md). diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md index 403b5a2209..e8e03b1772 100644 --- a/windows/deployment/volume-activation/introduction-vamt.md +++ b/windows/deployment/volume-activation/introduction-vamt.md @@ -4,61 +4,62 @@ description: VAMT enables administrators to automate and centrally manage the Wi ms.reviewer: manager: dougeby ms.author: aaroncz -ms.prod: w10 +ms.prod: windows-client +ms.technology: itpro-deploy author: aczechowski -ms.date: 04/25/2017 -ms.topic: article +ms.date: 09/16/2022 +ms.topic: overview --- # Introduction to VAMT -The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012. +The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows, Office, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has a supported Windows OS version. > [!NOTE] -> VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated. +> VAMT can be installed on, and can manage, physical or virtual instances. VAMT can't detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated. -## In this Topic - -- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak) -- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms) -- [Enterprise Environment](#bkmk-enterpriseenvironment) -- [VAMT User Interface](#bkmk-userinterface) - -## Managing Multiple Activation Key (MAK) and Retail Activation +## Managing MAK and retail activation You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios: -- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. -- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host. +- **Online activation**: Many organizations maintain a single Windows system image or Office installation package for deployment across the organization. Occasionally there's also a need to use retail product keys in special situations. Online activation enables you to activate over the internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. -## Managing Key Management Service (KMS) Activation +- **Proxy activation**: This activation method enables you to perform volume activation for products installed on client computers that don't have internet access. The VAMT host computer distributes a MAK, KMS host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs internet access. You can also activate products installed on computers in a workgroup that's isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the internet-connected VAMT host. -In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 and Microsoft Office 2010.\ -VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types. +## Managing KMS activation -## Enterprise Environment +In addition to MAK or retail activation, you can use VAMT to perform volume activation using the KMS. VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by volume license editions of Windows, Windows Server, and Office. -VAMT is commonly implemented in enterprise environments. The following screenshot illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. +VAMT treats a KMS host key (CSVLK) product key identically to a retail-type product key. The experience for product key entry and activation management are identical for both these product key types. + +## Enterprise environment + +VAMT is commonly implemented in enterprise environments. The following screenshot illustrates three common environments: core network, secure zone, and isolated lab. ![VAMT in the enterprise.](images/dep-win8-l-vamt-image001-enterprise.jpg) -In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have extra firewall protection. -The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab. +- In the core network environment, all computers are within a common network managed by Active Directory Domain Services (AD DS). +- The secure zone represents higher-security core network computers that have extra firewall protection. +- The isolated lab environment is a workgroup that is physically separate from the core network, and its computers don't have internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the isolated lab. -## VAMT User Interface +## VAMT user interface -The following screenshot shows the VAMT graphical user interface. +The following screenshot shows the VAMT graphical user interface: ![VAMT user interface.](images/vamtuserinterfaceupdated.jpg) VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as: -- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query. -- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers. -- **Monitoring activation status.** You can collect activation information about each product, including the last five characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information. -- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs. -- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format. +- **Adding and removing computers**: You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query. -## Related topics +- **Discovering products**: You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers. -- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) +- **Monitoring activation status**: You can collect activation information about each product, including the last five characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information. + +- **Managing product keys**: You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs. + +- **Managing activation data**: VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format. + +## Next steps + +[VAMT step-by-step scenarios](vamt-step-by-step.md)