deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 05:43:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Split into two folders

Browse Source
This commit is contained in:
Vinay Pamnani
2022-10-05 17:02:35 -04:00
parent 66abbb9842
commit fd465b38d5
204 changed files with 1074 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
View File

@ -1,99 +0,0 @@
---
title: Add an Azure AD tenant and Azure AD subscription
description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 06/26/2017
---
# Add an Azure AD tenant and Azure AD subscription
Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription.
> **Note**  If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. For step-by-step guide to register this free subscription, see [Register your free Azure Active Directory subscription.](#register-your-free-azure-active-directory-subscription)
1. Sign up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization.
![sign up for azure ad tenant.](images/azure-ad-add-tenant1.png)
2. Enter the information for your organization. Select **check availability** to verify that domain name that you selected is available.
![sign up for azure ad.](images/azure-ad-add-tenant2.png)
3. Complete the login and country information. Enter a valid phone number, then select **Send text message** or **Call me**.
![create azure account.](images/azure-ad-add-tenant3.png)
4. Enter the code that you receive and then select **Verify code**. After the code is verified and the continue button turns green, select **continue**.
![add aad tenant.](images/azure-ad-add-tenant3-b.png)
5. After you finish creating your Azure account, you can add an Azure AD subscription.
If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to the Office 356 portal at https://portal.office.com/, and then sign in using the admin account that you created in Step 4 (for example, user1@contosoltd.onmicrosoftcom).
![login to office 365](images/azure-ad-add-tenant4.png)
6. Select **Install software**.
![login to office 365 portal](images/azure-ad-add-tenant5.png)
7. In the Microsoft 365 admin center, select **Purchase Services** from the left navigation.
![purchase service option in admin center menu.](images/azure-ad-add-tenant6.png)
8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then select to purchase.
![azure active directory option in purchase services page.](images/azure-ad-add-tenant7.png)
9. Continue with your purchase.
![azure active directory premium payment page.](images/azure-ad-add-tenant8.png)
10. After the purchase is completed, you can log on to your Office 365 Admin Portal and you'll see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint and Exchange).
![admin center left navigation menu.](images/azure-ad-add-tenant9.png)
When you choose Azure AD, it will take you to the Azure AD portal where you can manage your Azure AD applications.
## Register your free Azure Active Directory subscription
If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. Here's a step-by-step guide to register your free Azure AD subscription using an Office 365 Premium Business subscription.
1. Sign in to the Microsoft 365 admin center at <https://portal.office.com> using your organization's account.
![register in azuread.](images/azure-ad-add-tenant10.png)
2. On the **Home** page, select on the Admin tools icon.
![register in azure-ad.](images/azure-ad-add-tenant11.png)
3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This option will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.
![register azuread](images/azure-ad-add-tenant12.png)
4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**.
![registration in azure-ad](images/azure-ad-add-tenant13.png)
5. It may take a few minutes to process the request.
![registration in azuread.](images/azure-ad-add-tenant14.png)
6. You'll see a welcome page when the process completes.
![register screen of azuread](images/azure-ad-add-tenant15.png)

485
windows/client-management/mdm/appv-deploy-and-config.md
View File

@ -1,485 +0,0 @@
---
title: Deploy and configure App-V apps using MDM
description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Endpoint Manager or App-V server.
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 06/26/2017
ms.reviewer:
manager: aaroncz
---
# Deploy and configure App-V apps using MDM
## Executive summary
<p>Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.</p>
<p>MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.</p>
### EnterpriseAppVManagement CSP node structure
[EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md)
The following example shows the EnterpriseAppVManagement configuration service provider in tree format.
```console
./Vendor/MSFT
EnterpriseAppVManagement
----AppVPackageManagement
--------EnterpriseID
------------PackageFamilyName
---------------PackageFullName
------------------Name
------------------Version
------------------Publisher
------------------InstallLocation
------------------InstallDate
------------------Users
------------------AppVPackageID
------------------AppVVersionId
------------------AppVPackageUri
----AppVPublishing
--------LastSync
------------LastError
------------LastErrorDescription
------------SyncStatusDescription
------------SyncProgress
--------Sync
------------PublishXML
----AppVDynamicPolicy
--------ConfigurationId
------------Policy
```
<p>(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following subnodes.</p>
<p><b>AppVPublishing</b> - An exec action node that contains the App-V publishing configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.</p>
- EnterpriseAppVManagement
- AppVPackageManagement
- **AppVPublishing**
- LastSync
- LastError
- LastErrorDescription
- SyncStatusDescription
- SyncProgress
- Sync
- PublishXML
- AppVDynamicPolicy
<p>Sync command:</p>
[App-V Sync protocol reference]( https://msdn.microsoft.com/enus/library/mt739986.aspx)
<p><b>AppVDynamicPolicy</b> - A read/write node that contains the App-V dynamic configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.</p>
- EnterpriseAppVManagement
- AppVPackageManagement
- AppVPublishing
- **AppVDynamicPolicy**
- [ConfigurationId]
- Policy
<p>Dynamic policy examples:</p>
[Dynamic configuration processing](/windows/application-management/app-v/appv-application-publishing-and-client-interaction#bkmk-dynamic-config">Dynamic configuration processing)
<p><b>AppVPackageManagement</b> - Primarily read-only App-V package inventory data for MDM servers to query current packages.</p>
- EnterpriseAppVManagement
- **AppVPackageManagement**
- [EnterpriseID]
- [PackageFamilyName]
- [PackageFullName]
- Name
- Version
- Publisher
- InstallLocation
- InstallDate
- Users
- AppVPackageID
- AppVVersionId
- AppVPackageUri
- AppVPublishing
- AppVDynamicPolicy
<p>The examples in the scenarios section demonstrate how the publishing document should be created to successfully publish packages, dynamic policies, and connection groups.</p>
## Scenarios addressed in App-V MDM functionality
<p>All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premises App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.</p>
<p>A complete list of App-V policies can be found here:</p>
[ADMX-backed policy reference](./policy-configuration-service-provider.md)
[EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md)
### SyncML examples
<p>The following SyncML examples address specific App-V client scenarios.</p>
#### Enable App-V client
<p>This example shows how to enable App-V on the device.</p>
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppvClient</LocURI>
</Target>
<Data><enabled/></Data>
</Item>
</Replace>
```
#### Configure App-V client
<p>This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts helps package deployments (add and publish of App-V apps).</p>
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts</LocURI>
</Target>
<Data><enabled/></Data>
</Item>
</Replace>
```
<p>Complete list of App-V policies can be found here:</p>
[Policy CSP](./policy-configuration-service-provider.md)
#### SyncML with package published for a device (global to all users for that device)
<p>This SyncML example shows how to publish a package globally on an MDM enrolled device for all device users.</p>
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="fd6b51c7-959e-4d04-ac36-a8244a5693d0" PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
</Packages>
<NoGroup>
<Package PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
</NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
<p>*PackageUrl can be a UNC or HTTP/HTTPS endpoint.</p>
#### SyncML with package (with dynamic configuration policy) published for a device (global to all users on that device)
<p>This SyncML example shows how to publish a package globally, with a policy that adds two shortcuts for the package, on an MDM enrolled device.</p>
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/38/Policy</ LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<DeploymentConfiguration PackageId="57650ac1-1731-4b4c-899ca25548374dab" DisplayName="Skype_RS2Win10_X64" xmlns="http://schemas.microsoft.com/appv/2010/deploymentconfiguration">
<MachineConfiguration></MachineConfiguration>
<UserConfiguration>
<Subsystems>
<Shortcuts Enabled="true">
<Extensions>
<Extension Category="AppV.Shortcut">
<Shortcut>
<File>[{ThisPCDesktopFolder}]\Skype_FromMDM.lnk</File>
<Target>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</Target>
<Icon>[{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico</Icon>
<Arguments/>
<WorkingDirectory>[{ProgramFilesX86}]\Skype\</WorkingDirectory>
<AppUserModelId>Skype.Desktop.Application</AppUserModelId>
<Description>Launch Skype</Description>
<ShowCommand>1</ShowCommand>
<ApplicationId>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</ApplicationId>
</Shortcut>
</Extension>
<Extension Category="AppV.Shortcut">
<Shortcut>
<File>[{Common Desktop}]\Skype_FromMDMAlso.lnk</File>
<Target>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</Target>
<Icon>[{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico</Icon>
<Arguments/>
<WorkingDirectory>[{ProgramFilesX86}]\Skype\</WorkingDirectory>
<AppUserModelId>Skype.Desktop.Application</AppUserModelId>
<Description>Launch Skype</Description>
<ShowCommand>1</ShowCommand>
<ApplicationId>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</ApplicationId>
</Shortcut>
</Extension>
</Extensions>
</Shortcuts>
</Subsystems>
</UserConfiguration>
</DeploymentConfiguration>
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" PackageId="57650ac11731-4b4c-899c-a25548374dab">
<DeploymentConfiguration ConfigurationId="38" Path="38" Timestamp="2012-08-27T16:14:30.87" /></Package>
</Packages>
<NoGroup>
<Package PackageId="57650ac1-1731-4b4c-899ca25548374dab"/>
</NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
<p>*PackageUrl can be a UNC or HTTP/HTTPS endpoint.</p>
#### SyncML with package (using user config deployment) published for a specific user
<p>This SyncML example shows how to publish a package for a specific MDM user.</p>
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="c68b054c-ff5f-45a6-9b41-788f2194e3c1" PackageId="e9a51aaf-5d9a48df-96e2-3372a278bca4"></Package>
</Packages>
<NoGroup>
<Package PackageId="e9a51aaf-5d9a-48df-96e23372a278bca4"/>
</NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
#### SyncML for publishing mixed-mode connection group containing global and user-published packages
<p>This SyncML example shows how to publish a connection group, and group applications and plugins together.</p>
> [!NOTE]
> The user connection group has the user-only package as optional in this example, which implies users without the optional package can continue to launch the global package within the same connection group.
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" PackageId="57650ac11731-4b4c-899c-a25548374dab"></Package>
</Packages>
</Publishing>
</Data>
</Item>
</Exec>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="c68b054c-ff5f-45a6-9b41-788f2194e3c1" PackageId="e9a51aaf-5d9a48df-96e2-3372a278bca4"></Package>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="fd6b51c7-959e-4d04-ac36-a8244a5693d0" PackageId="565d8479-394d-439c-824d0e09b7ee732c"></Package>
</Packages>
<NoGroup>
<Package PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
</NoGroup>
<Groups>
<Group GroupId="98d5cebd-165f-403b-a426-7a1f6ae9c399" VersionId="AE76602B-5613-4BAD-9EE5-1728FA55B699" Priority="46" Name="Try7">
<Package PackageId="57650ac1-1731-4b4c-899ca25548374dab" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" VersionOptional="false" PackageOptional="false"/>
<Package PackageId="e9a51aaf-5d9a-48df-96e23372a278bca4" VersionOptional="true" PackageOptional="true"/>
</Group>
</Groups>
</Publishing>
</Data>
</Item>
</Exec>
```
#### Unpublish example SyncML for all global packages
<p>This SyncML example shows how to unpublish all global packages on the device by sending an empty package and connection group list in the SyncML.</p>
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages></Packages>
<NoGroup></NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
#### Query packages on a device
<p>These SyncML examples return all global, and user-published packages on the device.</p>
```xml
<Get>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
```xml
<Get>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData</LocURI>
</Target>
</Item>
</Get>
```

47
windows/client-management/mdm/assign-seats.md
View File

@ -1,47 +0,0 @@
---
title: Assign seat
description: The Assign seat operation assigns seat for a specified user in the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Assign seat
The **Assign seat** operation assigns seat for a specified user in the Microsoft Store for Business.
## Request
**POST:**
```http
https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|username|string|Requires UserPrincipalName (UPN). User name of the target user account.|
## Response
### Response body
The response body contains [SeatDetails](data-structures-windows-store-for-business.md#seatdetails).
|Error code|Description|Retry|Data field|Details|
|--- |--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name <br>Reason: Invalid parameter<br>Details: String|Invalid can include productId, skuId or userName|
|404|Not found||Item type: Inventory, User, Seat<br> <br>Values: ProductId/SkuId, UserName, ProductId/SkuId/UserName|ItemType: Inventory User Seat<br> <br>Values: ProductId/SkuId UserName ProductId/SkuId/UserName|
|409|Conflict||Reason: Not online||

525
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -1,525 +0,0 @@
---
title: Azure Active Directory integration with MDM
description: Azure Active Directory is the world largest enterprise cloud identity management service.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.collection: highpri
---
# Azure Active Directory integration with MDM
Azure Active Directory is the world largest enterprise cloud identity management service. Its used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow.
Once a device is enrolled in MDM, the MDM:
- Can enforce compliance with organization policies, add or remove apps, and more.
- Can report a devices compliance in Azure AD.
- Azure AD can allow access to organization resources or applications secured by Azure AD to devices that comply with policies.
To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This article describes the steps involved.
## Connect to Azure AD
Several ways to connect your devices:
For company-owned devices:
- Join Windows to a traditional Active Directory domain
- Join Windows to Azure AD
For personal devices (BYOD):
- Add a Microsoft work account to Windows
### Azure AD Join
Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as Microsoft Endpoint Configuration Manager. In Windows 10, its also possible to manage domain joined devices with an MDM.
Windows 10 introduces a new way to configure and deploy organization owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller.
Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device won't be joined to Azure AD.
> [!IMPORTANT]
> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](/previous-versions/azure/dn499825(v=azure.100)) license.
### BYOD scenario
Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If thats the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. In the BYOD case, users can reject the MDM Terms of Use. The device isn't enrolled in MDM and access to organization resources is typically restricted.
## Integrated MDM enrollment and UX
Two Azure AD MDM enrollment scenarios:
- Joining a device to Azure AD for company-owned devices
- Adding a work account to a personal device (BYOD)
In both scenarios, Azure AD authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment.
In both scenarios, the enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN.
In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It's important that MDM vendors who integrate with Azure AD respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article.
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service. For more information, see solution \#2 in [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
Once a user has an Azure AD account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for organization scenarios or BYOD scenarios is similar.
> [!NOTE]
> Users can't remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
### MDM endpoints involved in Azure ADintegrated enrollment
Azure AD MDM enrollment is a two-step process:
1. Display the Terms of Use and gather user consent.
This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM.
2. Enroll the device.
This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device.
To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use endpoint and an MDM enrollment endpoint.
<a href="" id="terms-of-use-endpoint-"></a>**Terms of Use endpoint**
Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting users consent before the actual enrollment phase begins.
Its important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies.
The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. Its not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
<a href="" id="mdm-enrollment-endpoint"></a>**MDM enrollment endpoint**
After the users accepts the Terms of Use, the device is registered in Azure AD. Automatic MDM enrollment begins.
The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
![azure ad enrollment flow.](images/azure-ad-enrollment-flow.png)
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article.
## Make the MDM a reliable party of Azure AD
To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Azure AD. To report compliance with Azure AD, the MDM must authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api).
### Add a cloud-based MDM
A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661).
> [!NOTE]
> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, whatever the customer tenant the managed device belongs.
> [!NOTE]
> All MDM apps must implement Azure AD V2 tokens before we certify that integration works. Due to changes in the Azure AD app platform, using Azure AD V2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats-and-ownership).
Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery.
1. Log on to the Azure Management Portal using an admin account in your home tenant.
2. In the left navigation, select **Active Directory**.
3. Select the directory tenant where you want to register the application.
Ensure you're logged into your home tenant.
4. Select the **Applications** tab.
5. In the drawer, select **Add**.
6. Select **Add an application my organization is developing**.
7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then select **Next**.
8. Enter the logon URL for your MDM service.
9. For the App ID, enter `https://<your_tenant_name>/ContosoMDM`, then select OK.
10. While still in the Azure portal, select the **Configure** tab of your application.
11. Mark your application as **multi-tenant**.
12. Find the client ID value and copy it.
You'll need this ID later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery.
13. Generate a key for your application and copy it.
You need this key to call the Microsoft Graph API to report device compliance. This information is covered in the next section.
For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
### Add an on-premises MDM
An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD.
To add an on-premises MDM application to the tenant, use the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application**. Administrators can configure the required URLs for enrollment and Terms of Use.
Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance.
For more information about registering applications with Azure AD, see [Basics of Registering an Application in Azure AD](/previous-versions/azure/dn499820(v=azure.100)).
### Key management and security guidelines
The application keys used by your MDM service are a sensitive resource. They should be protected and rolled over periodically for greater security. Access tokens obtained by your MDM service to call the Microsoft Graph API are bearer tokens and should be protected to avoid unauthorized disclosure.
For security best practices, see [Windows Azure Security Essentials](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
You can roll over the application keys used by a cloud-based MDM service without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and must be rolled over by the customer's administrator. To improve security, provide guidance to customers about rolling over and protecting the keys.
## Publish your MDM app to Azure AD app gallery
IT administrators use the Azure AD app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Azure AD.
The following image show how MDM applications show up in the Azure app gallery.
![azure ad add an app for mdm.](images/azure-ad-app-gallery.png)
### Add cloud-based MDM to the app gallery
> [!NOTE]
> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application
The following table shows the required information to create an entry in the Azure AD app gallery.
|Item|Description|
|--- |--- |
|**Application ID**|The client ID of your MDM app that is configured within your tenant. This ID is the unique identifier for your multi-tenant app.|
|**Publisher**|A string that identifies the publisher of the app.|
|**Application URL**|A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL isn't used for the actual enrollment.|
|**Description**|A brief description of your MDM app, which must be under 255 characters.|
|**Icons**|A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215|
### Add on-premises MDM to the app gallery
There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrator to add an app to their tenant.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. Thee ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance.
## Themes
The pages rendered by the MDM in the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). These templates are important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right.
There are three distinct scenarios:
1. MDM enrollment as part of Azure AD Join in Windows OOBE.
2. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**.
3. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD).
These scenarios support Windows client Pro, Enterprise, and Education.
The CSS files provided by Microsoft contain version information and we recommend that you use the latest version. There are separate CSS files for Windows client devices, OOBE, and post-OOBE experiences. [Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip).
- For Windows 10, use **oobe-desktop.css**
- For Windows 11, use **oobe-light.css**
### Using themes
An MDM page must adhere to a predefined theme depending on the scenario that is displayed. For example, if the CXH-HOSTHTTP header is FRX, which is the OOBE scenario, then the page must support a dark theme with blue background color, which uses WinJS file Ui-dark.css ver 4.0 and oobe-desktop.css ver 1.0.4.
|CXH-HOST (HTTP HEADER)|Scenario|Background Theme|WinJS|Scenario CSS|
|--- |--- |--- |--- |--- |
|FRX|OOBE|Dark theme + blue background color|Filename: Ui-dark.css|Filename: oobe-dekstop.css|
|MOSET|Settings/Post OOBE|Light theme|Filename: Ui-light.css|Filename: settings-desktop.css|
## Terms of Use protocol semantics
The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue.
### Redirect to the Terms of Use endpoint
This redirect is a full page redirect to the Terms of User endpoint hosted by the MDM. Here's an example URL, `https://fabrikam.contosomdm.com/TermsOfUse`.
The following parameters are passed in the query string:
|Item|Description|
|--- |--- |
|redirect_uri|After the user accepts or rejects the Terms of Use, the user is redirected to this URL.|
|client-request-id|A GUID that is used to correlate logs for diagnostic and debugging purposes. Use this parameter to log or trace the state of the enrollment request to help find the root cause of failures.|
|api-version|Specifies the version of the protocol requested by the client. This value provides a mechanism to support version revisions of the protocol.|
|mode|Specifies that the device is organization owned when mode=azureadjoin. This parameter isn't present for BYOD devices.|
### Access token
Azure AD issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format:
**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw…
The following claims are expected in the access token passed by Windows to the Terms of Use endpoint:
|Item|Description|
|--- |--- |
|Object ID|Identifier of the user object corresponding to the authenticated user.|
|UPN|A claim containing the user principal name (UPN) of the authenticated user.|
|TID|A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.|
|Resource|A sanitized URL representing the MDM application. Example: `https://fabrikam.contosomdm.com` |
> [!NOTE]
> There's no device ID claim in the access token because the device may not yet be enrolled at this time.
To retrieve the list of group memberships for the user, you can use the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api).
Here's an example URL.
```http
https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0
Authorization: Bearer eyJ0eXAiOi
```
The MDM is expected to validate the signature of the access token to ensure it was issued by Azure AD and ensure that recipient is appropriate.
### Terms of Use content
The MDM may do other more redirects as necessary before displaying the Terms of Use content to the user. The appropriate Terms of Use content should be returned to the caller (Windows) so it can be displayed to the end user in the browser control.
The Terms of Use content should contain the following buttons:
- **Accept** - the user accepts the Terms of Use and proceeds with enrollment.
- **Decline** - the user declines and stops the enrollment process.
The Terms of Use content must be consistent with the theme used for the other pages rendered during this process.
### Terms of Use endpoint processing logic
At this point, the user is on the Terms of Use page shown during the OOBE or from the Setting experiences. The user has the following options on the page:
- **User clicks on the Accept button** - The MDM must redirect to the URI specified by the redirect\_uri parameter in the incoming request. The following query string parameters are expected:
- **IsAccepted** - This Boolean value is required, and must be set to true.
- **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this blob to make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes.
- Here's an example redirect - `ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true`
- **User clicks on the Decline button** - The MDM must redirect to the URI specified in redirect\_uri in the incoming request. The following query string parameters are expected:
- **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use.
- **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user.
Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Azure AD Join process. Don't show the decline button in the Azure AD Join process. MDM enrollment can't be declined by the user if configured by the administrator for the Azure AD Join.
We recommend that you send the client-request-id parameters in the query string as part of this redirect response.
### Terms Of Use Error handling
If an error occurs during the terms of use processing, the MDM can return two parameters an error and error\_description parameter in its redirect request back to Windows. The URL should be encoded, and the contents of the error\_description should be in English plain text. This text isn't visible to the end-user. So, localization of the error description text isn't a concern.
Here's the URL format:
```console
HTTP/1.1 302
Location:
<redirect_uri>?error=access_denied&error_description=Access%20is%20denied%2E
Example:
HTTP/1.1 302
Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Access%20is%20denied%2E
```
The following table shows the error codes.
|Cause|HTTP status|Error|Description|
|--- |--- |--- |--- |
|api-version|302|invalid_request|unsupported version|
|Tenant or user data are missing or other required prerequisites for device enrollment aren't met|302|unauthorized_client|unauthorized user or tenant|
|Azure AD token validation failed|302|unauthorized_client|unauthorized_client|
|internal service error|302|server_error|internal service error|
## Enrollment protocol with Azure AD
With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.
|Detail|Traditional MDM enrollment|Azure AD Join (organization-owned device)|Azure AD adds a work account (user-owned device)|
|--- |--- |--- |--- |
|MDM auto-discovery using email address to retrieve MDM discovery URL|Enrollment|Not applicable<br>Discovery URL provisioned in Azure||
|Uses MDM discovery URL|Enrollment<br>Enrollment renewal<br>ROBO|Enrollment<br>Enrollment renewal<br>ROBO|Enrollment<br>Enrollment renewal<br>ROBO|
|Is MDM enrollment required?|Yes|Yes|No<br>User can decline.|
|Authentication type|OnPremise<br>Federated<br>Certificate|Federated|Federated|
|EnrollmentPolicyServiceURL|Optional (all auth)|Optional (all auth)|Optional (all auth)|
|EnrollmentServiceURL|Required (all auth)|Used (all auth)|Used (all auth)|
|EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL|Highly recommended|Highly recommended|Highly recommended|
|AuthenticationServiceURL used|Used (Federated auth)|Skipped|Skipped|
|BinarySecurityToken|Custom per MDM|Azure AD issued token|Azure AD issued token|
|EnrollmentType|Full|Device|Full|
|Enrolled certificate type|User certificate|Device certificate|User certificate|
|Enrolled certificate store|My/User|My/System|My/User|
|CSR subject name|User Principal Name|Device ID|User Principal Name|
|EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL|Not supported|Supported|Supported|
|CSPs accessible during enrollment|Windows 10 support: <br/>- DMClient <br/>- CertificateStore <br/>- RootCATrustedCertificates <br/> - ClientCertificateInstall <br/>- EnterpriseModernAppManagement <br/> - PassportForWork <br/> - Policy <br/> - w7 APPLICATION|||
## Management protocol with Azure AD
There are two different MDM enrollment types that integrate with Azure AD, and use Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
<a href="" id="multiple-user-management-for-azure-ad-joined-devices"></a>**Multiple user management for Azure AD-joined devices**
In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
<a href="" id="adding-a-work-account-and-mdm-enrollment-to-a-device"></a>**Adding a work account and MDM enrollment to a device**
In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device.
<a href="" id="evaluating-azure-ad-user-tokens"></a>**Evaluating Azure AD user tokens**
The Azure AD token is in the HTTP Authorization header in the following format:
```console
Authorization:Bearer <Azure AD User Token Inserted here>
```
More claims may be present in the Azure AD token, such as:
- User - user currently logged in
- Device compliance - value set the MDM service into Azure
- Device ID - identifies the device that is checking in
- Tenant ID
Access tokens issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens:
- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
## Device Alert 1224 for Azure AD user token
An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example:
```xml
Alert Type: com.microsoft/MDM/AADUserToken
Alert sample:
<SyncBody>
<Alert>
<CmdID>1</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/AADUserToken</Type>
</Meta>
<Data>UserToken inserted here</Data>
</Item>
</Alert>
… other XML tags …
</SyncBody>
```
## Determine when a user is logged in through polling
An alert is sent to the MDM server in DM package\#1.
- Alert type - com.microsoft/MDM/LoginStatus
- Alert format - chr
- Alert data - provide sign-in status information for the current active logged in user.
- Signed-in user who has an Azure AD account - predefined text: user.
- Signed-in user without an Azure AD account- predefined text: others.
- No active user - predefined text:none
Here's an example.
```xml
<SyncBody>
<Alert>
<CmdID>1</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/LoginStatus</Type>
</Meta>
<Data>user</Data>
</Item>
</Alert>
… other XML tags …
</SyncBody>
```
## Report device compliance to Azure AD
Once a device is enrolled with the MDM for management, organization policies configured by the IT administrator are enforced on the device. The device compliance with configured policies is evaluated by the MDM and then reported to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD.
For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822).
- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD.
- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD.
### Use Microsoft Graph API
The following sample REST API call illustrates how an MDM can use the Microsoft Graph API to report compliance status of a device being managed by it.
> [!NOTE]
> This API is only applicable for approved MDM apps on Windows 10 devices.
```console
Sample Graph API Request:
PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1
Authorization: Bearer eyJ0eXAiO………
Accept: application/json
Content-Type: application/json
{ "isManaged":true,
"isCompliant":true
}
```
Where:
- **contoso.com** This value is the name of the Azure AD tenant to whose directory the device has been joined.
- **db7ab579-3759-4492-a03f-655ca7f52ae1** This value is the device identifier for the device whose compliance information is being reported to Azure AD.
- **eyJ0eXAiO**……… This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request.
- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status.
- **api-version** - Use this parameter to specify which version of the graph API is being requested.
Response:
- Success - HTTP 204 with No Content.
- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found.
## Data loss during unenrollment from Azure Active Directory Join
When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.
![aadj unenrollment.](images/azure-ad-unenrollment.png)
## Error codes
|Code|ID|Error message|
|--- |--- |--- |
|0x80180001|"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x80180002|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180003|"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180004|"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180005|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x80180006|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x80180007|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180008|"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x80180009|"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS|Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.|
|0x8018000A|"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED|This device is already enrolled. You can contact your system administrator with the error code {0}.|
|0x8018000D|"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.|
|0x8018000E|"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x8018000F|"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180010|"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x80180012|"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180013|"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.|
|0x80180014|"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.|
|0x80180015|"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.|
|0x80180016|"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW|The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180017|"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE|The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.|
|0x80180018|"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE|There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180019|"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID|Looks like the server isn't correctly configured. You can try to do this again or contact your system administrator with the error code {0}.|
|"rejectedTermsOfUse"|"idErrorRejectedTermsOfUse"|Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.|
|0x801c0001|"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x801c0002|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x801c0003|"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.|
|0x801c0006|"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x801c000B|"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED|The server being contacted isn't trusted. Contact your system administrator with the error code {0}.|
|0x801c000C|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x801c000E|"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.|
|0x801c000F|"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT|A reboot is required to complete device registration.|
|0x801c0010|"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR|Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.|
|0x801c0011|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x801c0012|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x801c0013|"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x801c0014|"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|

29
windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
View File

@ -1,29 +0,0 @@
---
title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal
description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 12/18/2020
ms.reviewer:
manager: aaroncz
---
# Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal
> [!NOTE]
> Microsoft Intune portal can be accessed at the following link: [https://endpoint.microsoft.com](https://endpoint.microsoft.com).
1. Go to your Azure AD Blade.
2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
3. Select **Microsoft Intune** and configure the blade.
![How to get to the Blade.](images/azure-mdm-intune.png)
Configure the blade
![Configure the Blade.](images/azure-intune-configure-scope.png)
You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users).

48
windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md
View File

@ -1,48 +0,0 @@
---
title: Bulk assign and reclaim seats from users
description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Bulk assign and reclaim seats from users
The **Bulk assign and reclaim seats from users** operation returns reclaimed or assigned seats in the Microsoft Store for Business.
## Request
**POST**:
```http
https:<span></span>//bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|username|string|Requires UserPrincipalName (UPN). User name of the target user account.|
|seatAction|[SeatAction](data-structures-windows-store-for-business.md#seataction) ||
## Response
### Response body
The response body contains [BulkSeatOperationResultSet](data-structures-windows-store-for-business.md#bulkseatoperationresultset).
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|404|Not found||Item type: Inventory<br> Values: ProductId/SkuId|

164
windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
View File

@ -1,164 +0,0 @@
---
title: Bulk enrollment
description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and Windows 11.
MS-HAID:
- 'p\_phdevicemgmt.bulk\_enrollment'
- 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool'
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 06/26/2017
---
# Bulk enrollment
Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
## Typical use cases
- Set up devices in bulk for large organizations to be managed by MDM.
- Set up kiosks, such as ATMs or point-of-sale (POS) terminals.
- Set up school computers.
- Set up industrial machinery.
- Set handheld POS devices.
On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain.
On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
> [!NOTE]
> - Bulk-join is not supported in Azure Active Directory Join.
> - Bulk enrollment does not work in Intune standalone environment.
> - Bulk enrollment works in Microsoft Endpoint Manager where the ppkg is generated from the Configuration Manager console.
> - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
> - Bulk Token creation is not supported with federated accounts.
## What you need
- Windows 10 devices.
- Windows Configuration Designer (WCD) tool.
To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd).
- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.).
- Wi-Fi credentials, computer name scheme, and anything else required by your organization.
Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain.
## Create and apply a provisioning package for on-premises authentication
Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the WCD tool.
2. Click **Advanced Provisioning**.
![icd start page.](images/bulk-enrollment7.png)
3. Enter a project name and click **Next**.
4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
6. Expand **Runtime settings** &gt; **Workplace**.
7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**.
The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
Here's the list of available settings:
- **AuthPolicy** - Select **OnPremise**.
- **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
- **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - Password
For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
Here's the screenshot of the WCD at this point.
![bulk enrollment screenshot.](images/bulk-enrollment.png)
9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
10. When you're done adding all the settings, on the **File** menu, click **Save**.
11. On the main menu, click **Export** &gt; **Provisioning package**.
![icd menu for export.](images/bulk-enrollment2.png)
12. Enter the values for your package and specify the package output location.
![enter package information.](images/bulk-enrollment3.png)
![enter additional information for package information.](images/bulk-enrollment4.png)
![specify file location.](images/bulk-enrollment6.png)
13. Click **Build**.
![icb build window.](images/bulk-enrollment5.png)
14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
15. Apply the package to your devices.
## Create and apply a provisioning package for certificate authentication
Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the WCD tool.
2. Click **Advanced Provisioning**.
3. Enter a project name and click **Next**.
4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
6. Specify the certificate.
1. Go to **Runtime settings** &gt; **Certificates** &gt; **ClientCertificates**.
2. Enter a **CertificateName** and then click **Add**.
3. Enter the **CertificatePasword**.
4. For **CertificatePath**, browse and select the certificate to be used.
5. Set **ExportCertificate** to False.
6. For **KeyLocation**, select **Software only**.
![icd certificates section.](images/bulk-enrollment8.png)
7. Specify the workplace settings.
1. Got to **Workplace** &gt; **Enrollments**.
2. Enter the **UPN** for the enrollment and then click **Add**.
The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
Here's the list of available settings:
- **AuthPolicy** - Select **Certificate**.
- **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
- **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - the certificate thumbprint.
For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
9. When you're done adding all the settings, on the **File** menu, click **Save**.
10. Export and build the package (steps 10-13 in the procedure above).
11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
12. Apply the package to your devices.
## Apply a provisioning package
Here's the list of topics about applying a provisioning package:
- [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package) - topic in Technet.
- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN
- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - topic below
## Apply a package from the Settings menu
1. Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
2. Click **Add or remove a provisioning package**.
3. Click **Add a package**.
## <a href="" id="validate-that-the-provisioning-package-was-applied-"></a>Validate that the provisioning package was applied
1. Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
2. Click **Add or remove a provisioning package**.
You should see your package listed.
## Retry logic in case of a failure
If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row.
If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -&gt; 1 hr -&gt; 4 hr -&gt; "Next System Start". These attempts will be run from a SYSTEM context.
It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well.
In addition, provisioning will be restarted in a SYSTEM context after a sign in and the system has been idle ([details on idle conditions](/windows/win32/taskschd/task-idle-conditions)).
## Other provisioning topics
Here are links to step-by-step provisioning topics in Technet.
- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps)
- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment)

501
windows/client-management/mdm/certificate-authentication-device-enrollment.md
View File

@ -1,501 +0,0 @@
---
title: Certificate authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 06/26/2017
---
# Certificate authentication device enrollment
This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347).
> [!Note]
> To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package).
## In this topic
- [Discovery service](#discovery-service)
- [Enrollment policy web service](#enrollment-policy-web-service)
- [Enrollment web service](#enrollment-web-service)
For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
## Discovery Service
The following example shows the discovery service request.
```xml
POST /EnrollmentServer/Discovery.svc HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
User-Agent: Windows Enrollment Client
Host: EnterpriseEnrollment.Contoso.com
Content-Length: xxx
Cache-Control: no-cache
<?xml version="1.0"?>
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover
</a:Action>
<a:MessageID>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc
</a:To>
</s:Header>
<s:Body>
<Discover xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment/">
<request xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<EmailAddress>user@contoso.com</EmailAddress>
<OSEdition>101</OSEdition> <!--New in Windows 10-->
<OSVersion>10.0.0.0</OSVersion> <!--New in Windows 10-->
<RequestVersion>3.0</RequestVersion> <!--Updated in Windows 10-->
<ApplicationVersion>10.0.0.0</ApplicationVersion>
<AuthPolicies>Certificate</AuthPolicies> <!--New in Windows 10-->
</request>
</Discover>
</s:Body>
</s:Envelope>
```
The following example shows the discovery service response.
```xml
HTTP/1.1 200 OK
Content-Length: 865
Content-Type: application/soap+xml; charset=utf-8
Server: EnterpriseEnrollment.Contoso.com
Date: Tue, 02 Aug 2012 00:32:56 GMT
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse
</a:Action>
<ActivityId>
d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8
</ActivityId>
<a:RelatesTo>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:RelatesTo>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<DiscoverResponse
xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment">
<DiscoverResult>
<AuthPolicy>Certificate</AuthPolicy>
<EnrollmentVersion>3.0</EnrollmentVersion>
<EnrollmentPolicyServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentPolicyServiceUrl>
<EnrollmentServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentServiceUrl>
</DiscoverResult>
</DiscoverResponse>
</s:Body>
</s:Envelope>
```
## Enrollment policy web service
The following example shows the policy web service request.
```xml
POST /ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
User-Agent: Windows Enrollment Client
Host: enrolltest.contoso.com
Content-Length: xxxx
Cache-Control: no-cache
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies
</a:Action>
<a:MessageID>urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To>
<wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken wsse:ValueType="X509v3” wsse:Id="mytoken” wsse:EncodingType=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken>
</wsse:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetPolicies
xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
<client>
<lastUpdate xsi:nil="true"/>
<preferredLanguage xsi:nil="true"/>
</client>
<requestFilter xsi:nil="true"/>
</GetPolicies>
<ac:AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<ac:ContextItem Name="OSPlatform">
<ac:Value>WindowsMobile</ac:Value>
<ac:ContextItem Name="OSEdition">
<ac:Value>Core</ac:Value>
<ac:ContextItem Name="OSVersion">
<ac:Value>9.0.9999.0</ac:Value>
<ac:ContextItem Name="DeviceName">
<ac:Value>MY_WINDOWS_DEVICE</ac:Value>
<ac:ContextItem Name="MACAddress">
<ac:Value>FF:FF:FF:FF:FF:FF</ac:Value>
<ac:ContextItem Name="IMEI">
<ac:Value>49015420323756</ac:Value>
<ac:ContextItem Name="EnrollmentType">
<ac:Value>Lite</ac:Value>
<ac:ContextItem Name="DeviceType">
<ac:Value>WindowsPhone</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="ApplicationVersion">
<ac:Value>10.0.0.0</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="DeviceID">
<ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value>
</ac:AdditionalContext>
</s:Body>
</s:Envelope>
```
The following snippet shows the policy web service response.
```xml
HTTP/1.1 200 OK
Date: Fri, 03 Aug 2012 20:00:00 GMT
Server: <server name here>
Content-Type: application/soap+xml
Content-Length: xxxx
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<s:Envelope
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse
</a:Action>
<ActivityId CorrelationId="08d2997e-e8ac-4c97-a4ce-d263e62186ab"
xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">
d4335d7c-e192-402d-b0e7-f5d550467e3c</ActivityId>
<a:RelatesTo>urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598</a:RelatesTo>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetPoliciesResponse
xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
<response>
<policyFriendlyName xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<nextUpdateHours xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<policiesNotChanged xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<policies>
<policy>
<policyOIDReference>0</policyOIDReference>
<cAs xsi:nil="true" />
<attributes>
<policySchema>3</policySchema>
<privateKeyAttributes>
<minimalKeyLength>2048</minimalKeyLength>
<keySpec xsi:nil="true" />
<keyUsageProperty xsi:nil="true" />
<permissions xsi:nil="true" />
<algorithmOIDReference xsi:nil="true" />
<cryptoProviders xsi:nil="true" />
</privateKeyAttributes>
<supersededPolicies xsi:nil="true" />
<privateKeyFlags xsi:nil="true" />
<subjectNameFlags xsi:nil="true" />
<enrollmentFlags xsi:nil="true" />
<generalFlags xsi:nil="true" />
<hashAlgorithmOIDReference>0</hashAlgorithmOIDReference>
<rARequirements xsi:nil="true" />
<keyArchivalAttributes xsi:nil="true" />
<extensions xsi:nil="true" />
</attributes>
</policy>
</policies>
</response>
<cAs xsi:nil="true" />
<oIDs>
<oID>
<value>1.3.14.3.2.29</value>
<group>1</group>
<oIDReferenceID>0</oIDReferenceID>
<defaultName>szOID_OIWSEC_sha1RSASign</defaultName>
</oID>
</oIDs>
</GetPoliciesResponse>
</s:Body>
</s:Envelope>
```
## Enrollment web service
The following example shows the enrollment web service request.
```xml
POST /EnrollmentServer/DeviceEnrollmentWebService.svc HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
User-Agent: Windows Enrollment Client
Host: enrolltest.contoso.com
Content-Length: 3242
Cache-Control: no-cache
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep
</a:Action>
<a:MessageID>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To>
<wsse:Security s:mustUnderstand="1">
<wsu:Timestamp>
<wsu:Created>2014-10-16T17:55:13Z</wsu:Created> <!-- Start time in UTC -->
<wsu:Expires>2014-10-16T17:57:13Z </wsu:Expires> <!-- Expiration time in UTC -->
</wsu:Timestamp>
<wsse:BinarySecurityToken wsse:ValueType=
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken
wsse:EncodingType=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
wsu:Id=”29801C2F-F26B-46AD-984B-AFAEFB545FF8”>
B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken> <!—X509v3 Exported Public Cert, B64 Encoded, includes ID reference value to reference -->
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
1.0.xsd”>
<ds:SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1/>
<ds:Reference URI="#envelop">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256"/>
<ds:DigestValue>MessageDigestValue</ds:DigestValue>
<!-- Digest value of message using digest method -->
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SignedMessageBlob/ds:SignatureValue>
<!-- Digest value of message signed with the users private key using RSA-SHA256 -->
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="29801C2F-F26B-46AD-984B-AFAEFB545FF8"
ValueType="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-x509-token-profile-1.0#X509"/>
<!-— References BinarySecurityToken that contains public key to verify signature -->
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</s:Header>
<s:Body>
<wst:RequestSecurityToken>
<wst:TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</wst:TokenType>
<wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
<wsse:BinarySecurityToken
ValueType="http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">
DER format PKCS#10 certificate request in Base64 encoding Insterted Here
</wsse:BinarySecurityToken>
<ac:AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<ac:ContextItem Name="OSEdition"> <!--New in Windows 10-->
<ac:Value></ac:Value>
<ac:ContextItem Name="OSVersion"> <!--New in Windows 10-->
<ac:Value>10.0.0.0</ac:Value>
<ac:ContextItem Name="DeviceName"> <!--New in Windows 10-->
<ac:Value>MY_WINDOWS_DEVICE</ac:Value>
<ac:ContextItem Name="MAC"> <!--New in Windows 10 -->
<ac:Value>FF:FF:FF:FF:FF:FF</ac:Value>
<ac:ContextItem Name="MAC"> <!--New in Windows 10 -->
<ac:Value>CC:CC:CC:CC:CC:CC</ac:Value>
<ac:ContextItem Name="IMEI"> <!--New in Windows 10-->
<ac:Value>49015420323756</ac:Value>
<ac:ContextItem Name="EnrollmentType"> <!--New in Windows 10-->
<ac:Value>Full</ac:Value>
</ac:ContextItem>
</ac:ContextItem>
<ac:ContextItem Name="DeviceID"> <!--From Handheld 8.1 -->
<ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value>
<ac:ContextItem Name="EnrollmentData">
<ac:Value>3J4KLJ9SDJFAL93JLAKHJSDFJHAO83HAKSHFLAHSKFNHNPA2934342</ac:Value>
<ac:ContextItem Name="TargetedUserLoggedIn">
<ac:Value>True</ac:Value>
</ac:AdditionalContext>
</wst:RequestSecurityToken>
</s:Body>
</s:Envelope>
```
The following example shows the enrollment web service response.
```xml
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10231
Content-Type: application/soap+xml; charset=utf-8
Server: Microsoft-IIS/7.0
Date: Fri, 03 Aug 2012 00:32:59 GMT
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<Action s:mustUnderstand="1" >
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep
</Action>
<a:RelatesTo>urn:uuid:81a5419a-496b-474f-a627-5cdd33eed8ab</a:RelatesTo>
<o:Security s:mustUnderstand="1" xmlns:o=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2012-08-02T00:32:59.420Z</u:Created>
<u:Expires>2012-08-02T00:37:59.420Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<RequestSecurityTokenResponse>
<TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</TokenType>
<RequestedSecurityToken>
<BinarySecurityToken
ValueType=
"http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc"
EncodingType=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken
</BinarySecurityToken>
</RequestedSecurityToken>
<RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0
</RequestID>
</RequestSecurityTokenResponse>
</RequestSecurityTokenResponseCollection>
</s:Body>
</s:Envelope>
```
The following example shows the encoded provisioning XML.
```xml
<wap-provisioningdoc version="1.1">
<characteristic type="CertificateStore">
<characteristic type="Root">
<characteristic type="System">
<characteristic type="031336C933CC7E228B88880D78824FB2909A0A2F">
<parm name="EncodedCertificate" value="B64 encoded cert insert here" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="CertificateStore">
<characteristic type="My" >
<characteristic type="User">
<characteristic type="F9A4F20FC50D990FDD0E3DB9AFCBF401818D5462">
<parm name="EncodedCertificate" value="B64EncodedCertInsertedHere" />
</characteristic>
<characteristic type="PrivateKeyContainer"/>
<!-- This tag must be present for XML syntax correctness. -->
</characteristic>
<characteristic type="WSTEP">
<characteristic type="Renew">
<!—If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. -->
<parm name="ROBOSupport" value="true" datatype="boolean"/>
<parm name="RenewPeriod" value="60" datatype="integer"/>
<parm name="RetryInterval" value="4" datatype="integer"/>
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="APPLICATION">
<parm name="APPID" value="w7"/>
<parm name="PROVIDER-ID" value="TestMDMServer"/>
<parm name="NAME" value="Microsoft"/>
<parm name="ADDR" value="https://DM.contoso.com:443/omadm/Windows.ashx"/>
<parm name="CONNRETRYFREQ" value="6" />
<parm name="INITIALBACKOFFTIME" value="30000" />
<parm name="MAXBACKOFFTIME" value="120000" />
<parm name="BACKCOMPATRETRYDISABLED" />
<parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" />
<parm name="SSLCLIENTCERTSEARCHCRITERIA" value=
"Subject=DC%3dcom%2cDC%3dmicrosoft%2cCN%3dUsers%2cCN%3dAdministrator&amp;amp;Stores=My%5CUser"/>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="CLIENT"/>
<parm name="AAUTHTYPE" value="DIGEST"/>
<parm name="AAUTHSECRET" value="password1"/>
<parm name="AAUTHDATA" value="B64encodedBinaryNonceInsertedHere"/>
</characteristic>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="APPSRV"/>
<parm name="AAUTHTYPE" value="BASIC"/>
<parm name="AAUTHNAME" value="testclient"/>
<parm name="AAUTHSECRET" value="password2"/>
</characteristic>
</characteristic>
<characteristic type="DMClient"> <!-- In Windows 10, an enrollment server should use DMClient CSP XML to configure DM polling schedules. -->
<characteristic type="Provider">
<!-- ProviderID in DMClient CSP must match to PROVIDER-ID in w7 APPLICATION characteristics -->
<characteristic type="TestMDMServer">
<parm name="UPN" value="UserPrincipalName" datatype="string" />
<characteristic type="Poll">
<parm name="NumberOfFirstRetries" value="8" datatype="integer" />
<parm name="IntervalForFirstSetOfRetries" value="15" datatype="integer" />
<parm name="NumberOfSecondRetries" value="5" datatype="integer" />
<parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
<parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedules retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
<parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" />
<parm name="PollOnLogin" value="true" datatype="boolean" />
</characteristic>
<parm name="EntDeviceName" value="Administrator_Windows" datatype="string" />
</characteristic>
</characteristic>
</characteristic>
<!-- For Windows 10, we have removed EnterpriseAppManagement from the enrollment
protocol. This configuration service provider is being deprecated for Windows 10. -->
</wap-provisioningdoc>
```

158
windows/client-management/mdm/certificate-renewal-windows-mdm.md
View File

@ -1,158 +0,0 @@
---
title: Certificate Renewal
description: Learn how to find all the resources that you need to provide continuous access to client certificates.
MS-HAID:
- 'p\_phdevicemgmt.certificate\_renewal'
- 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm'
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 06/26/2017
---
# Certificate Renewal
The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account. The enrollment client gets a new client certificate from the enrollment server, and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
> [!Note]
> Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
## Automatic certificate renewal request
Windows supports automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that doesn't require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to do client Transport Layer Security (TLS). The user security token isn't needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate-based client authentication for automatic certificate renewal.
> [!Note]
> Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSPs](certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL.
With automatic renewal, the PKCS\#7 message content isnt b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content.
During the automatic certificate renewal process, if the root certificate isnt trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](certificatestore-csp.md).
During the automatic certificate renew process, the device will deny HTTP redirect request from the server. It won't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used.
The following example shows the details of an automatic renewal request.
```xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep</a:Action>
<a:MessageID>urn:uuid:61a17f2c-42e9-4a45-9c85-f15c1c8baee8</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://dm.contoso.com/EnrollmentService/DeviceEnrollmentService.svc</a:To>
<o:Security s:mustUnderstand="1" xmlns:o=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2011-07-11T19:49:08.579Z</u:Created>
<u:Expires>2011-07-11T19:54:08.579Z</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-2a734df6-b227-4e60-82a8-ed53c574b718-5">
<o:Username>user@contoso.com</o:Username>
<o:Password o:Type=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<RequestSecurityToken xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</TokenType>
<RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew</RequestType>
<BinarySecurityToken
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#PKCS7"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
BinarySecurityTokenInsertedHere
</BinarySecurityToken>
<AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<ContextItem Name="DeviceType">
<Value>WindowsPhone</Value>
</ContextItem>
<ContextItem Name="ApplicationVersion">
<Value>5.0.7616.0</Value>
</ContextItem>
</AdditionalContext>
</RequestSecurityToken>
</s:Body>
</s:Envelope>
```
## Certificate renewal schedule configuration
In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSPs RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired.
For more information about the parameters, see the CertificateStore configuration service provider.
Unlike manual certificate renewal, the device will not do an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead every 7 days (weekly). This change increases the chance that the device will try to connect at different days of the week.
> [!Note]
> For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
## Certificate renewal response
When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment):
- The signature of the PKCS\#7 BinarySecurityToken is correct
- The clients certificate is in the renewal period
- The certificate was issued by the enrollment service
- The requester is the same as the requester for initial enrollment
- For standard clients request, the client hasnt been blocked
After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA.
> [!Note]
> The HTTP server response must not be chunked; it must be sent as one message.
The following example shows the details of a certificate renewal response.
```xml
<wap-provisioningdoc version="1.1">
<characteristic type="CertificateStore">
<!-- Root certificate provision is only needed here if it is not in the device already --> <characteristic type="Root">
<characteristic type="System">
<characteristic type="EncodedRootCertHashInsertedHere ">
<parm name="EncodedCertificate" value="EncodedCertInsertedHere" />
</characteristic>
</characteristic>
</characteristic>
<characteristic type="My" >
<characteristic type="User">
<characteristic type="EncodedClientCertHashInsertedHere">
<parm name="EncodedCertificate" value="EncodedCertInsertedHere" />
<characteristic type="PrivateKeyContainer"/>
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="APPLICATION">
<parm name="PROVIDER-ID" value="TestMDMServer"/>
</characteristic>
</wap-provisioningdoc>
```
> [!Note]
> The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
## Configuration service providers supported during MDM enrollment and certificate renewal
The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider.
- CertificateStore
- w7 APPLICATION
- DMClient
- EnterpriseAppManagement

317
windows/client-management/mdm/change-history-for-mdm-documentation.md
View File

@ -1,317 +0,0 @@
---
title: Change history for MDM documentation
description: This article lists new and updated articles for Mobile Device Management.
author: vinaypamnani-msft
ms.author: vinpa
ms.reviewer:
manager: aaroncz
ms.topic: article
ms.prod: w10
ms.technology: windows
ms.localizationpriority: medium
ms.date: 10/19/2020
---
# Change history for Mobile Device Management documentation
This article lists new and updated articles for the Mobile Device Management (MDM) documentation. Updated articles are those articles that had content addition, removal, or corrections—minor fixes, such as correction of typos, style, or formatting issues aren't listed.
## November 2020
|New or updated article | Description|
|--- | ---|
| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policy:<br>- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) |
| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:<br>-Properties/SleepMode |
## October 2020
|New or updated article | Description|
|--- | ---|
| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies<br>- [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)<br>- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)<br>- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)<br>- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)<br>- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)<br>- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)<br>- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)<br>- [Update/DisableWUfBSafeguards](policy-csp-update.md#update-disablewufbsafeguards)<br>- [WindowsSandbox/AllowAudioInput](policy-csp-windowssandbox.md#windowssandbox-allowaudioinput)<br>- [WindowsSandbox/AllowClipboardRedirection](policy-csp-windowssandbox.md#windowssandbox-allowclipboardredirection)<br>- [WindowsSandbox/AllowNetworking](policy-csp-windowssandbox.md#windowssandbox-allownetworking)<br>- [WindowsSandbox/AllowPrinterRedirection](policy-csp-windowssandbox.md#windowssandbox-allowprinterredirection)<br>- [WindowsSandbox/AllowVGPU](policy-csp-windowssandbox.md#windowssandbox-allowvgpu)<br>- [WindowsSandbox/AllowVideoInput](policy-csp-windowssandbox.md#windowssandbox-allowvideoinput) |
## September 2020
|New or updated article | Description|
|--- | ---|
|[NetworkQoSPolicy CSP](networkqospolicy-csp.md)|Updated support information of the NetworkQoSPolicy CSP.|
|[Policy CSP - LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)|Removed the following unsupported LocalPoliciesSecurityOptions policy settings from the documentation:<br>- RecoveryConsole_AllowAutomaticAdministrativeLogon <br>- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways<br>- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible<br>- DomainMember_DisableMachineAccountPasswordChanges<br>- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems<br>|
## August 2020
|New or updated article | Description|
|--- | ---|
|[Policy CSP - System](policy-csp-system.md)|Removed the following policy settings:<br> - System/AllowDesktopAnalyticsProcessing <br>- System/AllowMicrosoftManagedDesktopProcessing <br> - System/AllowUpdateComplianceProcessing<br> - System/AllowWUfBCloudProcessing <br>|
## July 2020
|New or updated article | Description|
|--- | ---|
|[Policy CSP - System](policy-csp-system.md)|Added the following new policy settings:<br> - System/AllowDesktopAnalyticsProcessing <br>- System/AllowMicrosoftManagedDesktopProcessing <br> - System/AllowUpdateComplianceProcessing<br> - System/AllowWUfBCloudProcessing <br> <br><br>Updated the following policy setting:<br>- <a href="./policy-csp-system.md#system-allowcommercialdatapipeline" id="system-allowcommercialdatapipeline">System/AllowCommercialDataPipeline</a> <br>|
## June 2020
|New or updated article | Description|
|--- | ---|
|[BitLocker CSP](bitlocker-csp.md)|Added SKU support table for **AllowStandardUserEncryption**.|
|[Policy CSP - NetworkIsolation](policy-csp-networkisolation.md)|Updated the description from Boolean to Integer for the following policy settings:<br>EnterpriseIPRangesAreAuthoritative, EnterpriseProxyServersAreAuthoritative.|
## May 2020
|New or updated article | Description|
|--- | ---|
|[BitLocker CSP](bitlocker-csp.md)|Added the bitmask table for the Status/DeviceEncryptionStatus node.|
|[Policy CSP - RestrictedGroups](policy-csp-restrictedgroups.md)| Updated the topic with more details. Added policy timeline table.
## February 2020
|New or updated article | Description|
|--- | ---|
|[CertificateStore CSP](certificatestore-csp.md)<br>[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)|Added details about SubjectName value.|
## January 2020
|New or updated article | Description|
|--- | ---|
|[Policy CSP - Defender](policy-csp-defender.md)|Added descriptions for supported actions for Defender/ThreatSeverityDefaultAction.|
## November 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added option 5 in the supported values list for DeliveryOptimization/DOGroupIdSource.|
|[DiagnosticLog CSP](diagnosticlog-csp.md)|Added substantial updates to this CSP doc.|
## October 2019
|New or updated article | Description|
|--- | ---|
|[BitLocker CSP](bitlocker-csp.md)|Added the following new nodes:<br>ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswordsStatus, RotateRecoveryPasswordsRequestID.|
|[Defender CSP](defender-csp.md)|Added the following new nodes:<br>Health/TamperProtectionEnabled, Health/IsVirtualMachine, Configuration, Configuration/TamperProtection, Configuration/EnableFileHashComputation.|
## September 2019
|New or updated article | Description|
|--- | ---|
|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added the following new node:<br>IsStub.|
|[Policy CSP - Defender](policy-csp-defender.md)|Updated the supported value list for Defender/ScheduleScanDay policy.|
|[Policy CSP - DeviceInstallation](policy-csp-deviceinstallation.md)|Added the following new policies: <br>DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs, DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs.|
## August 2019
|New or updated article | Description|
|--- | ---|
|[DiagnosticLog CSP](diagnosticlog-csp.md)<br>[DiagnosticLog DDF](diagnosticlog-ddf.md)|Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:<br>Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelName/MaximumFileSize, Policy/Channels/ChannelName/SDDL, Policy/Channels/ChannelName/ActionWhenFull, Policy/Channels/ChannelName/Enabled, DiagnosticArchive, DiagnosticArchive/ArchiveDefinition, DiagnosticArchive/ArchiveResults.|
|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include more reference links and the following two topics:<br>Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.|
## July 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP](policy-configuration-service-provider.md)|Added the following list:<br>Policies supported by HoloLens 2|
|[ApplicationControl CSP](applicationcontrol-csp.md)|Added new CSP in Windows 10, version 1903.|
|[PassportForWork CSP](passportforwork-csp.md)|Added the following new nodes in Windows 10, version 1903:<br>SecurityKey, SecurityKey/UseSecurityKeyForSignin|
|[Policy CSP - Privacy](policy-csp-privacy.md)|Added the following new policies:<br>LetAppsActivateWithVoice, LetAppsActivateWithVoiceAboveLock|
|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs isn't currently supported:<br>Create a custom configuration service provider<br>Design a custom configuration service provider<br>IConfigServiceProvider2<br>IConfigServiceProvider2::ConfigManagerNotification<br>IConfigServiceProvider2::GetNode<br>ICSPNode<br>ICSPNode::Add<br>ICSPNode::Clear<br>ICSPNode::Copy<br>ICSPNode::DeleteChild<br>ICSPNode::DeleteProperty<br>ICSPNode::Execute<br>ICSPNode::GetChildNodeNames<br>ICSPNode::GetProperty<br>ICSPNode::GetPropertyIdentifiers<br>ICSPNode::GetValue<br>ICSPNode::Move<br>ICSPNode::SetProperty<br>ICSPNode::SetValue<br>ICSPNodeTransactioning<br>ICSPValidate<br>Samples for writing a custom configuration service provider.|
## June 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP - DeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md)|Added the following new policies:<br>AllowDeviceHealthMonitoring, ConfigDeviceHealthMonitoringScope, ConfigDeviceHealthMonitoringUploadDestination.|
|[Policy CSP - TimeLanguageSettings](policy-csp-timelanguagesettings.md)|Added the following new policy:<br>ConfigureTimeZone.|
## May 2019
|New or updated article | Description|
|--- | ---|
|[DeviceStatus CSP](devicestatus-csp.md)|Updated description of the following nodes:<br>DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.|
|[EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md)|Added new CSP in Windows 10, version 1903.|
|[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added the following new policies:<br> DODelayCacheServerFallbackBackground, DODelayCacheServerFallbackForeground.<br><br>Updated description of the following policies:<br>DOMinRAMAllowedToPeer, DOMinFileSizeToCache, DOMinDiskSizeAllowedToPeer.|
|[Policy CSP - Experience](policy-csp-experience.md)|Added the following new policy:<br>ShowLockOnUserTile.|
|[Policy CSP - InternetExplorer](policy-csp-internetexplorer.md)|Added the following new policies:<br>AllowEnhancedSuggestionsInAddressBar, DisableActiveXVersionListAutoDownload, DisableCompatView, DisableFeedsBackgroundSync, DisableGeolocation, DisableWebAddressAutoComplete, NewTabDefaultPage.|
|[Policy CSP - Power](policy-csp-power.md)|Added the following new policies:<br>EnergySaverBatteryThresholdOnBattery, EnergySaverBatteryThresholdPluggedIn, SelectLidCloseActionOnBattery, SelectLidCloseActionPluggedIn, SelectPowerButtonActionOnBattery, SelectPowerButtonActionPluggedIn, SelectSleepButtonActionOnBattery, SelectSleepButtonActionPluggedIn, TurnOffHybridSleepOnBattery, TurnOffHybridSleepPluggedIn, UnattendedSleepTimeoutOnBattery, UnattendedSleepTimeoutPluggedIn.|
|[Policy CSP - Search](policy-csp-search.md)|Added the following new policy:<br>AllowFindMyFiles.|
|[Policy CSP - ServiceControlManager](policy-csp-servicecontrolmanager.md)|Added the following new policy:<br>SvchostProcessMitigation.|
|[Policy CSP - System](policy-csp-system.md)|Added the following new policies:<br>AllowCommercialDataPipeline, TurnOffFileHistory.|
|[Policy CSP - Troubleshooting](policy-csp-troubleshooting.md)|Added the following new policy:<br>AllowRecommendations.|
|[Policy CSP - Update](policy-csp-update.md)|Added the following new policies:<br>AutomaticMaintenanceWakeUp, ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod, ConfigureDeadlineNoAutoReboot.|
|[Policy CSP - WindowsLogon](policy-csp-windowslogon.md)|Added the following new policies:<br>AllowAutomaticRestartSignOn, ConfigAutomaticRestartSignOn, EnableFirstLogonAnimation.<br><br>Removed the following policy:<br>SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart. This policy is replaced by AllowAutomaticRestartSignOn.|
## April 2019
| New or updated article | Description |
|-------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) | Added the following warning at the end of the Overview section:<br>Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it doesn't. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. |
| [Policy CSP - UserRights](policy-csp-userrights.md) | Added a note stating if you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (<![CDATA[...]]>) to wrap the data fields. |
## March 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP - Storage](policy-csp-storage.md)|Updated ADMX Info of the following policies:<br>AllowStorageSenseGlobal, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseCloudContentDehydrationThreshold, ConfigStorageSenseDownloadsCleanupThreshold, ConfigStorageSenseGlobalCadence, ConfigStorageSenseRecycleBinCleanupThreshold. <br><br>Updated description of ConfigStorageSenseDownloadsCleanupThreshold.|
## February 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP](policy-configuration-service-provider.md)|Updated supported policies for Holographic.|
## January 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP - Storage](policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.|
|[SharedPC CSP](sharedpc-csp.md)|Updated values and supported operations.|
|[Mobile device management](index.yml)|Updated information about MDM Security Baseline.|
## December 2018
|New or updated article | Description|
|--- | ---|
|[BitLocker CSP](bitlocker-csp.md)|Updated AllowWarningForOtherDiskEncryption policy description to describe silent and non-silent encryption scenarios, as well as where and how the recovery key is backed up for each scenario.|
## September 2018
|New or updated article | Description|
|--- | ---|
|[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.|
## August 2018
|New or updated article|Description|
|--- |--- |
|[BitLocker CSP](bitlocker-csp.md)|Added support for Windows 10 Pro starting in the version 1809.|
|[Office CSP](office-csp.md)|Added FinalStatus setting in Windows 10, version 1809.|
|[RemoteWipe CSP](remotewipe-csp.md)|Added new settings in Windows 10, version 1809.|
|[TenantLockdown CSP](tenantlockdown-csp.md)|Added new CSP in Windows 10, version 1809.|
|[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)|Added new settings in Windows 10, version 1809.|
|[Policy DDF file](policy-ddf-file.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.|
|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:<li>Browser/AllowFullScreenMode<li>Browser/AllowPrelaunch<li>Browser/AllowPrinting<li>Browser/AllowSavingHistory<li>Browser/AllowSideloadingOfExtensions<li>Browser/AllowTabPreloading<li>Browser/AllowWebContentOnNewTabPage<li>Browser/ConfigureFavoritesBar<li>Browser/ConfigureHomeButton<li>Browser/ConfigureKioskMode<li>Browser/ConfigureKioskResetAfterIdleTimeout<li>Browser/ConfigureOpenMicrosoftEdgeWith<li>Browser/ConfigureTelemetryForMicrosoft365Analytics<li>Browser/PreventCertErrorOverrides<li>Browser/SetHomeButtonURL<li>Browser/SetNewTabPageURL<li>Browser/UnlockHomeButton<li>Experience/DoNotSyncBrowserSettings<li>Experience/PreventUsersFromTurningOnBrowserSyncing<li>Kerberos/UPNNameHints<li>Privacy/AllowCrossDeviceClipboard<li>Privacy<li>DisablePrivacyExperience<li>Privacy/UploadUserActivities<li>System/AllowDeviceNameInDiagnosticData<li>System/ConfigureMicrosoft365UploadEndpoint<li>System/DisableDeviceDelete<li>System/DisableDiagnosticDataViewer<li>Storage/RemovableDiskDenyWriteAccess<li>Update/UpdateNotificationLevel<br/><br/>Start/DisableContextMenus - added in Windows 10, version 1803.<br/><br/>RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.|
## July 2018
|New or updated article|Description|
|--- |--- |
|[AssignedAccess CSP](assignedaccess-csp.md)|Added the following note:<br/><br/>You can only assign one single app kiosk profile to an individual user account on a device. The single app profile doesn't support domain groups.|
|[PassportForWork CSP](passportforwork-csp.md)|Added new settings in Windows 10, version 1809.|
|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added NonRemovable setting under AppManagement node in Windows 10, version 1809.|
|[Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md)|Added new configuration service provider in Windows 10, version 1809.|
|[WindowsLicensing CSP](windowslicensing-csp.md)|Added S mode settings and SyncML examples in Windows 10, version 1809.|
|[SUPL CSP](supl-csp.md)|Added three new certificate nodes in Windows 10, version 1809.|
|[Defender CSP](defender-csp.md)|Added a new node Health/ProductStatus in Windows 10, version 1809.|
|[BitLocker CSP](bitlocker-csp.md)|Added a new node AllowStandardUserEncryption in Windows 10, version 1809.|
|[DevDetail CSP](devdetail-csp.md)|Added a new node SMBIOSSerialNumber in Windows 10, version 1809.|
|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:<li>ApplicationManagement/LaunchAppAfterLogOn<li>ApplicationManagement/ScheduleForceRestartForUpdateFailures <li>Authentication/EnableFastFirstSignIn (Preview mode only)<li>Authentication/EnableWebSignIn (Preview mode only)<li>Authentication/PreferredAadTenantDomainName<li>Defender/CheckForSignaturesBeforeRunningScan<li>Defender/DisableCatchupFullScan <li>Defender/DisableCatchupQuickScan <li>Defender/EnableLowCPUPriority<li>Defender/SignatureUpdateFallbackOrder<li>Defender/SignatureUpdateFileSharesSources<li>DeviceGuard/ConfigureSystemGuardLaunch<li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs<li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses<li>DeviceInstallation/PreventDeviceMetadataFromNetwork<li>DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings<li>DmaGuard/DeviceEnumerationPolicy<li>Experience/AllowClipboardHistory<li>Security/RecoveryEnvironmentAuthentication<li>TaskManager/AllowEndTask<li>WindowsDefenderSecurityCenter/DisableClearTpmButton<li>WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning<li>WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl<li>WindowsLogon/DontDisplayNetworkSelectionUI<br/><br/>Recent changes:<li>DataUsage/SetCost3G - deprecated in Windows 10, version 1809.|
## June 2018
|New or updated article|Description|
|--- |--- |
|[Wifi CSP](wifi-csp.md)|Added a new node WifiCost in Windows 10, version 1809.|
|[Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)|Recent changes:<li>Added procedure for collecting logs remotely from Windows 10 Holographic.<li>Added procedure for downloading the MDM Diagnostic Information log.|
|[BitLocker CSP](bitlocker-csp.md)|Added new node AllowStandardUserEncryption in Windows 10, version 1809.|
|[Policy CSP](policy-configuration-service-provider.md)|Recent changes:<li>AccountPoliciesAccountLockoutPolicy<li>AccountLockoutDuration - removed from docs. Not supported.<li>AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.<li>AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter - removed from docs. Not supported.<li>LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers - removed from docs. Not supported.<li>System/AllowFontProviders isn't supported in HoloLens (first gen) Commercial Suite.<li>Security/RequireDeviceEncryption is supported in the Home SKU.<li>Start/StartLayout - added a table of SKU support information.<li>Start/ImportEdgeAssets - added a table of SKU support information.<br/><br/>Added the following new policies in Windows 10, version 1809:<li>Update/EngagedRestartDeadlineForFeatureUpdates<li>Update/EngagedRestartSnoozeScheduleForFeatureUpdates<li>Update/EngagedRestartTransitionScheduleForFeatureUpdates<li>Update/SetDisablePauseUXAccess<li>Update/SetDisableUXWUAccess|
|[WiredNetwork CSP](wirednetwork-csp.md)|New CSP added in Windows 10, version 1809.|
## May 2018
|New or updated article|Description|
|--- |--- |
|[Policy DDF file](policy-ddf-file.md)|Updated the DDF files in the Windows 10 version 1703 and 1709.<li>[Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)<li>[Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)|
## April 2018
|New or updated article|Description|
|--- |--- |
|[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)|Added the following node in Windows 10, version 1803:<li>Settings/AllowVirtualGPU<li>Settings/SaveFilesToHost|
|[NetworkProxy CSP](networkproxy-csp.md)|Added the following node in Windows 10, version 1803:<li>ProxySettingsPerUser|
|[Accounts CSP](accounts-csp.md)|Added a new CSP in Windows 10, version 1803.|
|[CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)|Added the DDF download of Windows 10, version 1803 configuration service providers.|
|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Bluetooth/AllowPromptedProximalConnections<li>KioskBrowser/EnableEndSessionButton<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers|
## March 2018
|New or updated article|Description|
|--- |--- |
|[eUICCs CSP](euiccs-csp.md)|Added the following node in Windows 10, version 1803:<li>IsEnabled|
|[DeviceStatus CSP](devicestatus-csp.md)|Added the following node in Windows 10, version 1803:<li>OS/Mode|
|[Understanding ADMX-backed policies](understanding-admx-backed-policies.md)|Added the following videos:<li>[How to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune](https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121)<li>[How to import a custom ADMX file to a device using Intune](https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73)|
|[AccountManagement CSP](accountmanagement-csp.md)|Added a new CSP in Windows 10, version 1803.|
|[RootCATrustedCertificates CSP](rootcacertificates-csp.md)|Added the following node in Windows 10, version 1803:<li>UntrustedCertificates|
|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>ApplicationDefaults/EnableAppUriHandlers<li>ApplicationManagement/MSIAllowUserControlOverInstall<li>ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges<li>Connectivity/AllowPhonePCLinking<li>Notifications/DisallowCloudNotification<li>Notifications/DisallowTileNotification<li>RestrictedGroups/ConfigureGroupMembership<br/><br/>The following existing policies were updated:<li>Browser/AllowCookies - updated the supported values. There are three values - 0, 1, 2.<li>InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML<li>TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.<br/><br/>Added a new section:<li>[[Policies in Policy CSP supported by Group Policy](/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy) - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.|
|[Policy CSP - Bluetooth](policy-csp-bluetooth.md)|Added new section [ServicesAllowedList usage guide](policy-csp-bluetooth.md#servicesallowedlist-usage-guide).|
|[MultiSIM CSP](multisim-csp.md)|Added SyncML examples and updated the settings descriptions.|
|[RemoteWipe CSP](remotewipe-csp.md)|Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.|
## February 2018
|New or updated article|Description|
|--- |--- |
|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Display/DisablePerProcessDpiForApps<li>Display/EnablePerProcessDpi<li>Display/EnablePerProcessDpiForApps<li>Experience/AllowWindowsSpotlightOnSettings<li>TextInput/ForceTouchKeyboardDockedState<li>TextInput/TouchKeyboardDictationButtonAvailability<li>TextInput/TouchKeyboardEmojiButtonAvailability<li>TextInput/TouchKeyboardFullModeAvailability<li>TextInput/TouchKeyboardHandwritingModeAvailability<li>TextInput/TouchKeyboardNarrowModeAvailability<li>TextInput/TouchKeyboardSplitModeAvailability<li>TextInput/TouchKeyboardWideModeAvailability|
|[VPNv2 ProfileXML XSD](vpnv2-profile-xsd.md)|Updated the XSD and Plug-in profile example for VPNv2 CSP.|
|[AssignedAccess CSP](assignedaccess-csp.md)|Added the following nodes in Windows 10, version 1803:<li>Status<li>ShellLauncher<li>StatusConfiguration<br/><br/>Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (first gen) Commercial Suite. Added example for HoloLens (first gen) Commercial Suite.|
|[MultiSIM CSP](multisim-csp.md)|Added a new CSP in Windows 10, version 1803.|
|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added the following node in Windows 10, version 1803:<li>MaintainProcessorArchitectureOnUpdate|
## January 2018
|New or updated article|Description|
|--- |--- |
|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Browser/AllowConfigurationUpdateForBooksLibrary<li>Browser/AlwaysEnableBooksLibrary<li>Browser/EnableExtendedBooksTelemetry<li>Browser/UseSharedFolderForBooks<li>DeliveryOptimization/DODelayBackgroundDownloadFromHttp<li>DeliveryOptimization/DODelayForegroundDownloadFromHttp<li>DeliveryOptimization/DOGroupIdSource<li>DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth<li>DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth<li>DeliveryOptimization/DORestrictPeerSelectionBy<li>DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth<li>DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth<li>KioskBrowser/BlockedUrlExceptions<li>KioskBrowser/BlockedUrls<li>KioskBrowser/DefaultURL<li>KioskBrowser/EnableHomeButton<li>KioskBrowser/EnableNavigationButtons<li>KioskBrowser/RestartOnIdleTime<li>LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode<li>RestrictedGroups/ConfigureGroupMembership<li>Search/AllowCortanaInAAD<li>Search/DoNotUseWebResults<li>Security/ConfigureWindowsPasswords<li>System/FeedbackHubAlwaysSaveDiagnosticsLocally<li>SystemServices/ConfigureHomeGroupListenerServiceStartupMode<li>SystemServices/ConfigureHomeGroupProviderServiceStartupMode<li>SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode<li>SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode<li>SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode<li>SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode<li>TaskScheduler/EnableXboxGameSaveTask<li>TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode<li>Update/ConfigureFeatureUpdateUninstallPeriod<li>UserRights/AccessCredentialManagerAsTrustedCaller<li>UserRights/AccessFromNetwork<li>UserRights/ActAsPartOfTheOperatingSystem<li>UserRights/AllowLocalLogOn<li>UserRights/BackupFilesAndDirectories<li>UserRights/ChangeSystemTime<li>UserRights/CreateGlobalObjects<li>UserRights/CreatePageFile<li>UserRights/CreatePermanentSharedObjects<li>UserRights/CreateSymbolicLinks<li>UserRights/CreateToken<li>UserRights/DebugPrograms<li>UserRights/DenyAccessFromNetwork<li>UserRights/DenyLocalLogOn<li>UserRights/DenyRemoteDesktopServicesLogOn<li>UserRights/EnableDelegation<li>UserRights/GenerateSecurityAudits<li>UserRights/ImpersonateClient<li>UserRights/IncreaseSchedulingPriority<li>UserRights/LoadUnloadDeviceDrivers<li>UserRights/LockMemory<li>UserRights/ManageAuditingAndSecurityLog<li>UserRights/ManageVolume<li>UserRights/ModifyFirmwareEnvironment<li>UserRights/ModifyObjectLabel<li>UserRights/ProfileSingleProcess<li>UserRights/RemoteShutdown<li>UserRights/RestoreFilesAndDirectories<li>UserRights/TakeOwnership<li>WindowsDefenderSecurityCenter/DisableAccountProtectionUI<li>WindowsDefenderSecurityCenter/DisableDeviceSecurityUI<li>WindowsDefenderSecurityCenter/HideRansomwareDataRecovery<li>WindowsDefenderSecurityCenter/HideSecureBoot<li>WindowsDefenderSecurityCenter/HideTPMTroubleshooting<br/><br/>Added the following policies in Windows 10, version 1709<li>DeviceLock/MinimumPasswordAge<li>Settings/AllowOnlineTips<li>System/DisableEnterpriseAuthProxy<br/><br/>Security/RequireDeviceEncryption - updated to show it's supported in desktop.|
|[BitLocker CSP](bitlocker-csp.md)|Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.|
|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.|
|[DMClient CSP](dmclient-csp.md)|Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:<li>AADSendDeviceToken<li>BlockInStatusPage<li>AllowCollectLogsButton<li>CustomErrorText<li>SkipDeviceStatusPage<li>SkipUserStatusPage|
|[Defender CSP](defender-csp.md)|Added new node (OfflineScan) in Windows 10, version 1803.|
|[UEFI CSP](uefi-csp.md)|Added a new CSP in Windows 10, version 1803.|
|[Update CSP](update-csp.md)|Added the following nodes in Windows 10, version 1803:<li>Rollback<li>Rollback/FeatureUpdate<li>Rollback/QualityUpdateStatus<li>Rollback/FeatureUpdateStatus|
## December 2017
|New or updated article|Description|
|--- |--- |
|[Configuration service provider reference](configuration-service-provider-reference.md)|Added new section [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)|
## November 2017
|New or updated article|Description|
|--- |--- |
|[Policy CSP](policy-configuration-service-provider.md)|Added the following policies for Windows 10, version 1709:<li>Authentication/AllowFidoDeviceSignon<li>Cellular/LetAppsAccessCellularData<li>Cellular/LetAppsAccessCellularData_ForceAllowTheseApps<li>Cellular/LetAppsAccessCellularData_ForceDenyTheseApps<li>Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps<li>Start/HidePeopleBar<li>Storage/EnhancedStorageDevices<li>Update/ManagePreviewBuilds<li>WirelessDisplay/AllowMdnsAdvertisement<li>WirelessDisplay/AllowMdnsDiscovery<br/><br/>Added missing policies from previous releases:<li>Connectivity/DisallowNetworkConnectivityActiveTest<li>Search/AllowWindowsIndexer|
## October 2017
| New or updated article | Description |
| --- | --- |
| [Policy DDF file](policy-ddf-file.md) | Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. |
| [Policy CSP](policy-configuration-service-provider.md) | Updated the following policies:<br/><br/>- Defender/ControlledFolderAccessAllowedApplications - string separator is `|` <br/>- Defender/ControlledFolderAccessProtectedFolders - string separator is `|` |
| [eUICCs CSP](euiccs-csp.md) | Added new CSP in Windows 10, version 1709. |
| [AssignedAccess CSP](assignedaccess-csp.md) | Added SyncML examples for the new Configuration node. |
| [DMClient CSP](dmclient-csp.md) | Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics. |
## September 2017
|New or updated article|Description|
|--- |--- |
|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:<li>Authentication/AllowAadPasswordReset<li>Handwriting/PanelDefaultModeDocked<li>Search/AllowCloudSearch<li>System/LimitEnhancedDiagnosticDataWindowsAnalytics<br/><br/>Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.|
|[AssignedAccess CSP](assignedaccess-csp.md)|Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.|
|Microsoft Store for Business and Microsoft Store|Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.|
|The [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692)|The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:<li>UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.<li>ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.<li>DomainName - fully qualified domain name if the device is domain-joined.<br/><br/>For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.|
|[EnterpriseAPN CSP](enterpriseapn-csp.md)|Added a SyncML example.|
|[VPNv2 CSP](vpnv2-csp.md)|Added RegisterDNS setting in Windows 10, version 1709.|
|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Added new topic to introduce a new Group Policy for automatic MDM enrollment.|
|[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)|New features in the Settings app:<li>User sees installation progress of critical policies during MDM enrollment.<li>User knows what policies, profiles, apps MDM has configured<li>IT helpdesk can get detailed MDM diagnostic information using client tools<br/><br/>For details, see [Managing connections](mdm-enrollment-of-windows-devices.md#manage-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)|
## August 2017
|New or updated article|Description|
|--- |--- |
|[Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)|Added new step-by-step guide to enable ADMX-backed policies.|
|[Mobile device enrollment](mobile-device-enrollment.md)|Added the following statement:<br/><br/>Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.|
|[CM_CellularEntries CSP](cm-cellularentries-csp.md)|Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.|
|[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)|Updated the Settings/EDPEnforcementLevel values to the following values:<li> 0 (default) Off / No protection (decrypts previously protected data).<li> 1 Silent mode (encrypt and audit only).<li> 2 Allow override mode (encrypt, prompt and allow overrides, and audit).<li> 3 Hides overrides (encrypt, prompt but hide overrides, and audit).|
|[AppLocker CSP](applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allowlist examples](applocker-csp.md#allow-list-examples).|
|[DeviceManageability CSP](devicemanageability-csp.md)|Added the following settings in Windows 10, version 1709:<li>Provider/ProviderID/ConfigInfo<li> Provider/ProviderID/EnrollmentInfo|
|[Office CSP](office-csp.md)|Added the following setting in Windows 10, version 1709:<li>Installation/CurrentStatus|
|[BitLocker CSP](bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to four digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.|
|[Firewall CSP](firewall-csp.md)|Updated the CSP and DDF topics. Here are the changes:<li>Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.<li>Changed some data types from integer to bool.<li>Updated the list of supported operations for some settings.<li>Added default values.|
|[Policy DDF file](policy-ddf-file.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:<li>Browser/AllowMicrosoftCompatibilityList<li>Update/DisableDualScan<li>Update/FillEmptyContentUrls|
|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:<li>Browser/ProvisionFavorites<li>Browser/LockdownFavorites<li>ExploitGuard/ExploitProtectionSettings<li>Games/AllowAdvancedGamingServices<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations<li>Privacy/EnableActivityFeed<li>Privacy/PublishUserActivities<li>Update/DisableDualScan<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork<br/><br/>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.<br/><br/>Changed the names of the following policies:<li>Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications<li>Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders<li>Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess<br/><br/>Added links to the extra [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).<br/><br/>There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:<li>Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts<li>Start/HideAppList|

130
windows/client-management/mdm/config-lock.md
View File

@ -1,130 +0,0 @@
---
title: Secured-core configuration lock
description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration.
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w11
ms.technology: windows
author: vinaypamnani-msft
ms.date: 05/24/2022
---
# Secured-core PC configuration lock
**Applies to**
- Windows 11
In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
Secured-core configuration lock (config lock) is a new [secured-core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC.
To summarize, config lock:
- Enables IT to "lock" secured-core PC features when managed through MDM
- Detects drift remediates within seconds
- Doesn't prevent malicious attacks
## Configuration Flow
After a secured-core PC reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
## System Requirements
Config lock will be available for all Windows Professional and Enterprise Editions running on [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).
## Enabling config lock using Microsoft Intune
Config lock isn't enabled by default, or turned on by the OS during boot. Rather, you need to turn it on.
The steps to turn on config lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune.
1. From the Microsoft Intune portal main page, select **Devices** > **Configuration Profiles** > **Create a profile**.
1. Select the following and press **Create**:
- **Platform**: Windows 10 and later
- **Profile type**: Templates
- **Template name**: Custom
:::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates.":::
1. Name your profile.
1. When you reach the Configuration Settings step, select "Add" and add the following information:
- **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
- **Data type**: Integer
- **Value**: 1 </br>
To turn off config lock, change the value to 0.
:::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of config lock, a Description of Turn on config lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1.":::
1. Select the devices to turn on config lock. If you're using a test tenant, you can select "+ Add all devices".
1. You'll not need to set any applicability rules for test purposes.
1. Review the Configuration and select "Create" if everything is correct.
1. After the device syncs with the Microsoft Intune server, you can confirm if the config lock was successfully enabled.
:::image type="content" source="images/configlock-mem-dev.png" alt-text="The Profile assignment status dashboard when viewing the config lock device configuration profile, showing one device has succeeded in having this profile applied.":::
:::image type="content" source="images/configlock-mem-devstatus.png" alt-text="The Device Status for the config lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending.":::
## Configuring secured-core PC features
Config lock is designed to ensure that a secured-core PC isn't unintentionally misconfigured. You keep the ability to enable or disable SCPC features, for example, firmware protection. You can make these changes with group policies or MDM services like Microsoft Intune.
:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off.":::
## FAQ
- Can I disable config lock? Yes. You can use MDM to turn off config lock completely or put it in temporary unlock mode for helpdesk activities.
### List of locked policies
|**CSPs** |
|-----|
|[BitLocker](bitlocker-csp.md) |
|[PassportForWork](passportforwork-csp.md) |
|[WindowsDefenderApplicationGuard](windowsdefenderapplicationguard-csp.md) |
|[ApplicationControl](applicationcontrol-csp.md)
|**MDM policies** | **Supported by Group Policy** |
|-----|-----|
|[DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md) | No |
|[DataProtection/LegacySelectiveWipeID](policy-csp-dataprotection.md) | No |
|[DeviceGuard/ConfigureSystemGuardLaunch](policy-csp-deviceguard.md) | Yes |
|[DeviceGuard/EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md) | Yes |
|[DeviceGuard/LsaCfgFlags](policy-csp-deviceguard.md) | Yes |
|[DeviceGuard/RequirePlatformSecurityFeatures](policy-csp-deviceguard.md) | Yes |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) | Yes |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) | Yes |
|[DmaGuard/DeviceEnumerationPolicy](policy-csp-dmaguard.md) | Yes |
|[WindowsDefenderSecurityCenter/CompanyName](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md)| Yes |
|[WindowsDefenderSecurityCenter/DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/Email](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/Phone](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[WindowsDefenderSecurityCenter/URL](policy-csp-windowsdefendersecuritycenter.md) | Yes |
|[SmartScreen/EnableAppInstallControl](policy-csp-smartscreen.md)| Yes |
|[SmartScreen/EnableSmartScreenInShell](policy-csp-smartscreen.md) | Yes |
|[SmartScreen/PreventOverrideForFilesInShell](policy-csp-smartscreen.md) | Yes |

1121
windows/client-management/mdm/configuration-service-provider-reference.md
View File

File diff suppressed because it is too large Load Diff

312
windows/client-management/mdm/data-structures-windows-store-for-business.md
View File

@ -1,312 +0,0 @@
---
title: Data structures for Microsoft Store for Business
description: Learn about the various data structures for Microsoft Store for Business.
MS-HAID:
- 'p\_phdevicemgmt.business\_store\_data\_structures'
- 'p\_phDeviceMgmt.data\_structures\_windows\_store\_for\_business'
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Data structures for Microsoft Store for Business
Here's the list of data structures used in the Microsoft Store for Business REST APIs:
- [AlternateIdentifier](#alternateidentifier)
- [BulkSeatOperationResultSet](#bulkseatoperationresultset)
- [FailedSeatRequest](#failedseatrequest)
- [FrameworkPackageDetails](#frameworkpackagedetails)
- [InventoryDistributionPolicy](#inventorydistributionpolicy)
- [InventoryEntryDetails](#inventoryentrydetails)
- [InventoryResultSet](#inventoryresultset)
- [InventoryStatus](#inventorystatus)
- [LicenseType](#licensetype)
- [LocalizedProductDetail](#localizedproductdetail)
- [OfflineLicense](#offlinelicense)
- [PackageContentInfo](#packagecontentinfo)
- [PackageLocation](#packagelocation)
- [ProductArchitectures](#productarchitectures)
- [ProductDetails](#productdetails)
- [ProductImage](#productimage)
- [ProductKey](#productkey)
- [ProductPackageDetails](#productpackagedetails)
- [ProductPackageFormat](#productpackageformat)
- [ProductPackageSet](#productpackageset)
- [ProductPlatform](#productplatform)
- [PublisherDetails](#publisherdetails)
- [SeatAction](#seataction)
- [SeatDetails](#seatdetails)
- [SeatDetailsResultSet](#seatdetailsresultset)
- [SeatState](#seatstate)
- [SupportedProductPlatform](#supportedproductplatform)
- [VersionInfo](#versioninfo)
## AlternateIdentifier
Specifies the properties of the alternate identifier.
|Name|Type|Description|
|--- |--- |--- |
|Type|String|LegacyWindowStoreProductId, LegacyWindowsPhoneProductId, RedirectToThresholdProductId|
|Value|String||
## BulkSeatOperationResultSet
|Name|Type|
|--- |--- |
|seatDetails|Collection of [SeatDetails](#seatdetails)|
|failedSeatOperations|Collection of [FailedSeatRequest](#failedseatrequest)|
## FailedSeatRequest
|Name|Type|
|--- |--- |
|failureReason|String|
|productKey|[ProductKey](#productkey)|
|userName|String|
## FrameworkPackageDetails
|Name|Type|Description|
|--- |--- |--- |
|packageId|String||
|contentId|String|Identifies a specific application.|
|Location|[PackageLocation](#packagelocation)||
|packageFullName|String||
|packageIdentityName|String||
|Architectures|Collection of [ProductArchitectures](#productarchitectures)||
|packageFormat|[ProductPackageFormat](#productpackageformat)||
|Platforms|Collection of [ProductPlatform](#productplatform)||
|fileSize|integer-64|Size of the file.|
|packageRank|integer-32|Optional|
## InventoryDistributionPolicy
|Name|Description|
|--- |--- |
|Open|Open distribution policy - licenses/seats can be assigned/consumed without limit|
|Restricted|Restricted distribution policy - licenses/seats must be assigned/consumed according to the available count|
## InventoryEntryDetails
|Name|Type|Description|
|--- |--- |--- |
|productKey|[ProductKey](#productkey)|Identifier used on subsequent requests to get more content including product descriptions, offline license, and download URLs.|
|seatCapacity|integer-64|Total number of seats that have been purchased for an application.|
|availableSeats|integer-64|Number of available seats remaining for an application.|
|lastModified|dateTime|Specifies the last modified date for an application. Modifications for an application include updated product details, updates to an application, and updates to the quantity of an application.|
|licenseType|[LicenseType](#licensetype)|Indicates whether the set of seats for a given application supports online or offline licensing.|
|distributionPolicy|[InventoryDistributionPolicy](#inventorydistributionpolicy)||
|status|[InventoryStatus](#inventorystatus)||
## InventoryResultSet
|Name|Type|Description|
|--- |--- |--- |
|continuationToken|String|Only available if there is a next page.|
|inventoryEntries|Collection of [InventoryEntryDetails](#inventoryentrydetails)||
## InventoryStatus
|Name|Description|
|--- |--- |
|Active|Entry is available in the organizations inventory.|
|Removed|Entry has been removed from the organizations inventory.|
## LicenseType
|Name|Description|
|--- |--- |
|Online|Online license application.|
|Offline|Offline license application.|
## LocalizedProductDetail
Specifies the properties of the localized product.
|Name|Type|Description|
|--- |--- |--- |
|Language|String|Language or fallback language if the specified language is not available.|
|displayName|String|Display name of the application.|
|Description|String|App description provided by developer can be up to 10,000 characters.|
|Images|Collection of [ProductImage](#productimage)|Artwork and icon associated with the application.|
|Publisher|[PublisherDetails](#publisherdetails)|Publisher of the application.|
## OfflineLicense
|Name|Type|Description|
|--- |--- |--- |
|productKey|[ProductKey](#productkey)|Identifies a set of seats associated with an application.|
|licenseBlob|String|Base-64 encoded offline license that can be installed via a CSP.|
|licenseInstanceId|String|Version of the license.|
|requestorId|String|Organization requesting the license.|
|contentId|String|Identifies the specific license required by an application.|
## PackageContentInfo
|Name|Type|
|--- |--- |
|productPlatforms|Collection of ProductPlatform|
|packageFormat|String|
## PackageLocation
|Name|Type|Description|
|--- |--- |--- |
|Url|URI|CDN location of the packages. URL expiration is based on the estimated time to download the package.|
## ProductArchitectures
|Name|
|--- |
|Neutral|
|Arm|
|x86|
|x64|
## ProductDetails
|Name|Type|Description|
|--- |--- |--- |
|productKey|[ProductKey](#productkey)|Identifier used on subsequent requests to get more content including product descriptions, offline license, and download URLs.|
|productType|String|Type of product.|
|supportedLanguages|Collection of string|The set of localized languages for an application.|
|publisherId|String|Publisher identifier.|
|Category|String|Application category.|
|alternateIds|Collection of [AlternateIdentifier](#alternateidentifier)|The identifiers that can be used to instantiate the installation of on online application.|
|packageFamilyName|String||
|supportedPlatforms|Collection of [ProductPlatform](#productplatform)||
## ProductImage
Specifies the properties of the product image.
|Name|Type|Description|
|--- |--- |--- |
|location|URI|Location of the download image.|
|purpose|string|Tag for the image, for example "screenshot" or "logo".|
|height|string|Height of the image in pixels.|
|width|string|Width of the image in pixels.|
|caption|string|Unlimited length.|
|backgroundColor|string|Format "#RRGGBB"|
|foregroundColor|string|Format "#RRGGBB"|
|fileSize|integer-64|Size of the file.|
## ProductKey
Specifies the properties of the product key.
|Name|Type|Description|
|--- |--- |--- |
|productId|String|Product identifier for an application that is used by the Store for Business.|
|skuId|String|Product identifier that specifies a specific SKU of an application.|
## ProductPackageDetails
|Name|Type|Description|
|--- |--- |--- |
|frameworkDependencyPackages|Collection of [FrameworkPackageDetails](#frameworkpackagedetails)||
|packageId|String||
|contentId|String|Identifies a specific application.|
|Location|[PackageLocation](#packagelocation)||
|packageFullName|String|Example, Microsoft.BingTranslator_1.1.10917.2059_x86__8wekyb3d8bbwe|
|packageIdentityName|String|Example, Microsoft.BingTranslator|
|Architectures|Collection of [ProductArchitectures](#productarchitectures)|Values {x86, x64, arm, neutral}|
|packageFormat|[ProductPackageFormat](#productpackageformat)|Extension of the package file.|
|Platforms|Collection of [ProductPlatform](#productplatform)||
|fileSize|integer-64|Size of the file.|
|packageRank|integer-32|Optional|
## ProductPackageFormat
|Name|
|--- |
|Appx|
|appxBundle|
|Xap|
## ProductPackageSet
|Name|Type|Description|
|--- |--- |--- |
|packageSetId|String|An identifier for the particular combination of application packages.|
|productPackages|Collection of [ProductPackageDetails](#productpackagedetails)|A collection of application packages.|
## ProductPlatform
|Name|Type|
|--- |--- |
|platformName|String|
|minVersion|[VersionInfo](#versioninfo)|
|maxTestedVersion|[VersionInfo](#versioninfo)|
## PublisherDetails
Specifies the properties of the publisher details.
|Name|Type|Description|
|--- |--- |--- |
|publisherName|String|Name of the publisher.|
|publisherWebsite|String|Website of the publisher.|
## SeatAction
|Name|
|--- |
|Assign|
|Reclaim|
## SeatDetails
|Name|Type|Description|
|--- |--- |--- |
|assignedTo|String|Format = UPN (user@domain)|
|dateAssigned|Datetime||
|State|[SeatState](#seatstate)||
|productKey|[ProductKey](#productkey)||
## SeatDetailsResultSet
|Name|Type|
|--- |--- |
|Seats|Collection of [SeatDetails](#seatdetails)|
|continuationToken|String|
## SeatState
|Name|
|--- |
|Active|
|Revoked|
## SupportedProductPlatform
|Name|Type|
|--- |--- |
|platformName|String|
|minVersion|[VersionInfo](#versioninfo)|
|maxTestedVersion|[VersionInfo](#versioninfo)|
|Architectures|Collection of [ProductArchitectures](#productarchitectures)|
## VersionInfo
|Name|Type|
|--- |--- |
|Major|integer-32|
|Minor|integer-32|
|Build|integer-32|
|Revision|integer-32|

942
windows/client-management/mdm/device-update-management.md
View File

@ -1,942 +0,0 @@
---
title: Mobile device management MDM for device updates
description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 11/15/2017
ms.collection: highpri
---
# Mobile device management (MDM) for device updates
>[!TIP]
>If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq).
With PCs, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we're investing heavily in extending the management capabilities available to MDMs. One key feature we're adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates.
In particular, Windows 10 provides APIs to enable MDMs to:
- Ensure machines stay up to date by configuring Automatic Update policies.
- Test updates on a smaller set of machines by configuring which updates are approved for a given device. Then, do an enterprise-wide rollout.
- Get compliance status of managed devices. IT can understand which machines still need a security patch, or how current is a particular machine.
This article provides independent software vendors (ISV) with the information they need to implement update management in Windows 10.
In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to:
- Configure automatic update policies to ensure devices stay up to date.
- Get device compliance information (the list of updates that are needed but not yet installed).
- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs.
The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the updates title, description, KB, update type, like a security update or service pack. For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
For more information about the CSPs, see [Update CSP](update-csp.md) and the update policy area of the [Policy CSP](policy-configuration-service-provider.md).
The following diagram provides a conceptual overview of how this works:
![mobile device update management.](images/mdm-update-sync.png)
The diagram can be roughly divided into three areas:
- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram).
- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram).
- The device gets updates from Microsoft Update using client/server protocol. It only downloads and installs updates that apply to the device and are approved by IT (right portion of the diagram).
## <a href="" id="gettingupdatemetadata"></a>Getting update metadata using the Server-Server sync protocol
The Microsoft Update Catalog contains many updates that aren't needed by MDM-managed devices. It includes updates for legacy software, like updates to servers, down-level desktop operating systems, & legacy apps, and a large number of drivers. We recommend MDMs use the Server-Server sync protocol to get update metadata for updates reported from the client.
This section describes this setup. The following diagram shows the server-server sync protocol process.
:::image type="content" alt-text="mdm server-server sync." source="images/deviceupdateprocess2.png" lightbox="images/deviceupdateprocess2.png":::
MSDN provides much information about the Server-Server sync protocol. In particular:
- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although its even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`.
Some important highlights:
- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how authorization is done. Even though it's called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision numbers is `<LocURI>./Vendor/MSFT/Update/InstallableUpdates?list=StructData</LocURI>`. Because not all updates are available via S2S sync, make sure you handle SOAP errors.
- For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
> [!NOTE]
> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, and so on). Each time such a change is made that doesnt affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
## <a href="" id="examplesofupdatestructure"></a>Examples of update metadata XML structure and element descriptions
The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). Some of the key elements are described below:
- **UpdateID** The unique identifier for an update
- **RevisionNumber** Revision number for the update in case the update was modified.
- **CreationDate** the date on which this update was created.
- **UpdateType** The type of update, which could include the following:
- **Detectoid** if this update identity represents a compatibility logic
- **Category** This element could represent either of the following:
- A Product category the update belongs to. For example, Windows, MS office, and so on.
- The classification the update belongs to. For example, drivers, security, and so on.
- **Software** If the update is a software update.
- **Driver** if the update is a driver update.
- **LocalizedProperties** represents the language the update is available in, title and description of the update. It has the following fields:
- **Language** The language code identifier (LCID). For example, en or es.
- **Title** Title of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)”
- **Description** Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed.”
- **KBArticleID** The KB article number for this update that has details about the particular update. For example, `https://support.microsoft.com/kb/2902892`.
## <a href="" id="recommendedflow"></a>Recommended Flow for Using the Server-Server Sync Protocol
This section describes a possible algorithm for using the server-server sync protocol to pull in update metadata to the MDM.
First some background:
- If you have a multi-tenant MDM, the update metadata can be kept in a shared partition, since it's common to all tenants.
- A metadata sync service can then be implemented. The service periodically calls server-server sync to pull in metadata for the updates IT cares about.
- The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client, if those updates aren't already known to the device.
The following procedure describes a basic algorithm for a metadata sync service:
- Initialization uses the following steps:
a. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative.
- Sync periodically (we recommend once every 2 hours - no more than once/hour).
1. Implement the authorization phase of the protocol to get a cookie if you dont already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a).
2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and:
- Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB.
- If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one.
- Remove updates from the "needed update IDs to fault in" list once they've been brought in.
These steps get information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time, you can get information so IT can see what updates they're approving. Or, for compliance reports to see what updates are needed but not yet installed.
## <a href="" id="managingupdates"></a>Managing updates using OMA DM
An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented in [Mobile device management](mobile-device-enrollment.md). This section focuses on how to extend that integration to support update management. The key aspects of update management include the following information:
- Configure automatic update policies to ensure devices stay up to date.
- Get device compliance information (the list of updates that are needed but not yet installed)
- Specify a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
- Approve EULAs for the end user so update deployment can be automated, even for updates with EULAs
The following list describes a suggested model for applying updates.
1. Have a "Test Group" and an "All Group".
2. In the Test group, just let all updates flow.
3. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues.
Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md).
### Update policies
The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
The following information shows the Update policies in a tree format.
```console
./Vendor/MSFT
Policy
----Config
--------Update
-----------ActiveHoursEnd
-----------ActiveHoursMaxRange
-----------ActiveHoursStart
-----------AllowAutoUpdate
-----------AllowMUUpdateService
-----------AllowNonMicrosoftSignedUpdate
-----------AllowUpdateService
-----------AutoRestartNotificationSchedule
-----------AutoRestartRequiredNotificationDismissal
-----------BranchReadinessLevel
-----------DeferFeatureUpdatesPeriodInDays
-----------DeferQualityUpdatesPeriodInDays
-----------DeferUpdatePeriod
-----------DeferUpgradePeriod
-----------EngagedRestartDeadline
-----------EngagedRestartSnoozeSchedule
-----------EngagedRestartTransitionSchedule
-----------ExcludeWUDriversInQualityUpdate
-----------IgnoreMOAppDownloadLimit
-----------IgnoreMOUpdateDownloadLimit
-----------PauseDeferrals
-----------PauseFeatureUpdates
-----------PauseQualityUpdates
-----------RequireDeferUpgrade
-----------RequireUpdateApproval
-----------ScheduleImminentRestartWarning
-----------ScheduledInstallDay
-----------ScheduledInstallTime
-----------ScheduleRestartWarning
-----------SetAutoRestartNotificationDisable
-----------UpdateServiceUrl
-----------UpdateServiceUrlAlternate
```
<a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. When used with **Update/ActiveHoursStart**, it allows the IT admin to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time.
> [!NOTE]
> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on.
The default is 17 (5 PM).
<a href="" id="update-activehoursmaxrange"></a>**Update/ActiveHoursMaxRange**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
Supported values are 8-18.
The default value is 18 (hours).
<a href="" id="update-activehoursstart"></a>**Update/ActiveHoursStart**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Added in Windows 10, version 1607. When used with **Update/ActiveHoursEnd**, it allows the IT admin to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time.
> [!NOTE]
> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on.
The default value is 8 (8 AM).
<a href="" id="update-allowautoupdate"></a>**Update/AllowAutoUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
Supported operations are Get and Replace.
The following list shows the supported values:
- 0 Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 1 Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart.
- 2 (default) Auto install and restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default behavior for unmanaged devices. Devices are updated quickly. But, it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart.
- 3 Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
- 4 Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
- 5 Turn off automatic updates.
> [!IMPORTANT]
> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
If the policy isn't configured, end users get the default behavior (Auto install and restart).
<a href="" id="update-allowmuupdateservice"></a>**Update/AllowMUUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
The following list shows the supported values:
- 0 Not allowed or not configured.
- 1 Allowed. Accepts updates received through Microsoft Update.
<a href="" id="update-allownonmicrosoftsignedupdate"></a>**Update/AllowNonMicrosoftSignedUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education.
Allows the IT admin to manage if Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution.
Supported operations are Get and Replace.
The following list shows the supported values:
- 0 Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
- 1 Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate in the "Trusted Publishers" certificate store of the local computer.
This policy is specific to desktop and local publishing using WSUS for third-party updates (binaries and updates not hosted on Microsoft Update). It allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
<a href="" id="update-allowupdateservice"></a>**Update/AllowUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft.
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update.
Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working.
The following list shows the supported values:
- 0 Update service isn't allowed.
- 1 (default) Update service is allowed.
> [!NOTE]
> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
<a href="" id="update-autorestartnotificationschedule"></a>**Update/AutoRestartNotificationSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
Supported values are 15, 30, 60, 120, and 240 (minutes).
The default value is 15 (minutes).
<a href="" id="update-autorestartrequirednotificationdismissal"></a>**Update/AutoRestartRequiredNotificationDismissal**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.
The following list shows the supported values:
- 1 (default) Auto Dismissal.
- 2 User Dismissal.
<a href="" id="update-branchreadinesslevel"></a>**Update/BranchReadinessLevel**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
The following list shows the supported values:
- 16 (default) User gets all applicable upgrades from Current Branch (CB).
- 32 User gets upgrades from Current Branch for Business (CBB).
<a href="" id="update-deferfeatureupdatesperiodindays"></a>**Update/DeferFeatureUpdatesPeriodInDays**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
Supported values are 0-180.
<a href="" id="update-deferqualityupdatesperiodindays"></a>**Update/DeferQualityUpdatesPeriodInDays**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
Supported values are 0-30.
<a href="" id="update-deferupdateperiod"></a>**Update/DeferUpdatePeriod**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
Allows IT Admins to specify update delays for up to four weeks.
Supported values are 0-4, which refers to the number of weeks to defer updates.
If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by**; and **Pause Updates and Upgrades** settings have no effect.
If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
- **Update category**: OS upgrade
- **Maximum deferral**: 8 months
- **Deferral increment**: 1 month
- **Update type/notes**: Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5
- **Update category**: Update
- **Maximum deferral**: 1 month
- **Deferral increment**: 1 week
- **Update type/notes**: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
- Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
- Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
- Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
- Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
- Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
- Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F
- Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
- Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
- **Update category**: Other/cannot defer
- **Maximum deferral**: No deferral
- **Deferral increment**: No deferral
- **Update type/notes**: Any update category not enumerated above falls into this category.
- Definition Update - E0789628-CE08-4437-BE74-2495B842F43B
<a href="" id="update-deferupgradeperiod"></a>**Update/DeferUpgradePeriod**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
Allows IT Admins to enter more upgrade delays for up to eight months.
Supported values are 0-8, which refers to the number of months to defer upgrades.
If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
<a href="" id="update-engagedrestartdeadline"></a>**Update/EngagedRestartDeadline**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, then the restart won't be automatically executed. It will remain Engaged restart (pending user scheduling).
Supported values are 2-30 days.
The default value is 0 days (not specified).
<a href="" id="update-engagedrestartsnoozeschedule"></a>**Update/EngagedRestartSnoozeSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
Supported values are 1-3 days.
The default value is three days.
<a href="" id="update-engagedrestarttransitionschedule"></a>**Update/EngagedRestartTransitionSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
Supported values are 2-30 days.
The default value is seven days.
<a href="" id="update-excludewudriversinqualityupdate"></a>**Update/ExcludeWUDriversInQualityUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
The following list shows the supported values:
- 0 (default) Allow Windows Update drivers.
- 1 Exclude Windows Update drivers.
<a href="" id="update-ignoremoappdownloadlimit"></a>**Update/IgnoreMOAppDownloadLimit**
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
The following list shows the supported values:
- 0 (default) Don't ignore MO download limit for apps and their updates.
- 1 Ignore MO download limit (allow unlimited downloading) for apps and their updates.
To validate this policy:
1. Enable the policy ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
- `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f`
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused.
<a href="" id="update-ignoremoupdatedownloadlimit"></a>**Update/IgnoreMOUpdateDownloadLimit**
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
The following list shows the supported values:
- 0 (default) Don't ignore MO download limit for OS updates.
- 1 Ignore MO download limit (allow unlimited downloading) for OS updates.
To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
2. Run the scheduled task on the devices to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused.
<a href="" id="update-pausedeferrals"></a>**Update/PauseDeferrals**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
The following list shows the supported values:
- 0 (default) Deferrals aren't paused.
- 1 Deferrals are paused.
If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
<a href="" id="update-pausefeatureupdates"></a>**Update/PauseFeatureUpdates**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
The following list shows the supported values:
- 0 (default) Feature Updates aren't paused.
- 1 Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
<a href="" id="update-pausequalityupdates"></a>**Update/PauseQualityUpdates**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
The following list shows the supported values:
- 0 (default) Quality Updates aren't paused.
- 1 Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
<a href="" id="update-requiredeferupgrade"></a>**Update/RequireDeferUpgrade**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
Allows the IT admin to set a device to CBB train.
The following list shows the supported values:
- 0 (default) User gets upgrades from Current Branch.
- 1 User gets upgrades from Current Branch for Business.
<a href="" id="update-requireupdateapproval"></a>**Update/RequireUpdateApproval**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<br>
> [!NOTE]
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
Allows the IT admin to restrict the updates that are installed on a device to only the updates on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update for the end user. EULAs are approved once an update is approved.
Supported operations are Get and Replace.
The following list shows the supported values:
- 0 Not configured. The device installs all applicable updates.
- 1 The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required before deployment.
<a href="" id="update-scheduleimminentrestartwarning"></a>**Update/ScheduleImminentRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
Supported values are 15, 30, or 60 (minutes).
The default value is 15 (minutes).
<a href="" id="update-scheduledinstallday"></a>**Update/ScheduledInstallDay**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Enables the IT admin to schedule the day of the update installation.
The data type is a string.
Supported operations are Add, Delete, Get, and Replace.
The following list shows the supported values:
- 0 (default) Every day
- 1 Sunday
- 2 Monday
- 3 Tuesday
- 4 Wednesday
- 5 Thursday
- 6 Friday
- 7 Saturday
<a href="" id="update-scheduledinstalltime"></a>**Update/ScheduledInstallTime**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Enables the IT admin to schedule the time of the update installation.
The data type is a string.
Supported operations are Add, Delete, Get, and Replace.
Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
The default value is 3.
<a href="" id="update-schedulerestartwarning"></a>**Update/ScheduleRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
Supported values are 2, 4, 8, 12, or 24 (hours).
The default value is 4 (hours).
<a href="" id="update-setautorestartnotificationdisable"></a>**Update/SetAutoRestartNotificationDisable**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
The following list shows the supported values:
- 0 (default) Enabled
- 1 Disabled
<a href="" id="update-updateserviceurl"></a>**Update/UpdateServiceUrl**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
> [!Important]
> Starting in Windows 10, version 1703 this policy isn't supported in IoT Enterprise.
Allows the device to check for updates from a WSUS server instead of Microsoft Update. Using WSUS is useful for on-premises MDMs that need to update devices that can't connect to the Internet.
Supported operations are Get and Replace.
The following list shows the supported values:
- Not configured. The device checks for updates from Microsoft Update.
- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
Example
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl</LocURI>
</Target>
<Data>http://abcd-srv:8530</Data>
</Item>
</Replace>
```
<a href="" id="update-updateserviceurlalternate"></a>**Update/UpdateServiceUrlAlternate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
Value type is string and the default value is an empty string. If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, then the Automatic Updates client connects directly to the Windows Update site on the Internet.
> [!Note]
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
> If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates.
> This policy isn't supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
### Update management
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following information shows the Update CSP in tree format.
```console
./Vendor/MSFT
Update
----ApprovedUpdates
--------Approved Update Guid
------------ApprovedTime
----FailedUpdates
--------Failed Update Guid
------------HResult
------------Status
------------RevisionNumber
----InstalledUpdates
--------Installed Update Guid
------------RevisionNumber
----InstallableUpdates
--------Installable Update Guid
------------Type
------------RevisionNumber
----PendingRebootUpdates
--------Pending Reboot Update Guid
------------InstalledTime
------------RevisionNumber
----LastSuccessfulScanTime
----DeferUpgrade
----Rollback
--------QualityUpdate
--------FeatureUpdate
--------QualityUpdateStatus
--------FeatureUpdateStatus
```
<a href="" id="update"></a>**Update**
The root node.
Supported operation is Get.
<a href="" id="approvedupdates"></a>**ApprovedUpdates**
Node for update approvals and EULA acceptance for the end user.
> [!NOTE]
> When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to present the EULA is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update.
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (updates to the virus and spyware definitions on devices) and Security Updates (product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstall of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs because of changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
> [!NOTE]
> For the Windows 10 build, the client may need to reboot after additional updates are added.
Supported operations are Get and Add.
<a href="" id="approvedupdates-approved-update-guid"></a>**ApprovedUpdates/**<strong>*Approved Update Guid*</strong>
Specifies the update GUID.
To auto-approve a class of updates, you can specify the [Update Classifications](/previous-versions/windows/desktop/ff357803(v=vs.85)) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
Supported operations are Get and Add.
Sample syncml:
```
<LocURI>./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d</LocURI>
```
<a href="" id="approvedupdates-approved-update-guid-approvedtime"></a>**ApprovedUpdates/*Approved Update Guid*/ApprovedTime**
Specifies the time the update gets approved.
Supported operations are Get and Add.
<a href="" id="failedupdates"></a>**FailedUpdates**
Specifies the approved updates that failed to install on a device.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid"></a>**FailedUpdates/**<strong>*Failed Update Guid*</strong>
Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid-hresult"></a>**FailedUpdates/*Failed Update Guid*/HResult**
The update failure error code.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid-status"></a>**FailedUpdates/*Failed Update Guid*/Status**
Specifies the failed update status (for example, download, install).
Supported operation is Get.
<a href="" id="installedupdates"></a>**InstalledUpdates**
The updates that are installed on the device.
Supported operation is Get.
<a href="" id="installedupdates-installed-update-guid"></a>**InstalledUpdates/**<strong>*Installed Update Guid*</strong>
UpdateIDs that represent the updates installed on a device.
Supported operation is Get.
<a href="" id="installableupdates"></a>**InstallableUpdates**
The updates that are applicable and not yet installed on the device. This information includes updates that aren't yet approved.
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid"></a>**InstallableUpdates/**<strong>*Installable Update Guid*</strong>
Update identifiers that represent the updates applicable and not installed on a device.
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid-type"></a>**InstallableUpdates/*Installable Update Guid*/Type**
The UpdateClassification value of the update. Valid values are:
- 0 - None
- 1 - Security
- 2 = Critical
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid-revisionnumber"></a>**InstallableUpdates/*Installable Update Guid*/RevisionNumber**
The revision number for the update that must be passed in server to server sync to get the metadata for the update.
Supported operation is Get.
<a href="" id="pendingrebootupdates"></a>**PendingRebootUpdates**
The updates that require a reboot to complete the update session.
Supported operation is Get.
<a href="" id="pendingrebootupdates-pending-reboot-update-guid"></a>**PendingRebootUpdates/**<strong>*Pending Reboot Update Guid*</strong>
Update identifiers for the pending reboot state.
Supported operation is Get.
<a href="" id="pendingrebootupdates-pending-reboot-update-guid-installedtime"></a>**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime**
The time the update is installed.
Supported operation is Get.
<a href="" id="lastsuccessfulscantime"></a>**LastSuccessfulScanTime**
The last successful scan time.
Supported operation is Get.
<a href="" id="deferupgrade"></a>**DeferUpgrade**
Upgrades deferred until the next period.
Supported operation is Get.
## <a href="" id="windows10version1607forupdatemanagement"></a> Windows 10, version 1607 for update management
Here are the new policies added in Windows 10, version 1607 in [Policy CSP](policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices.
- Update/ActiveHoursEnd
- Update/ActiveHoursStart
- Update/AllowMUUpdateService
- Update/BranchReadinessLevel
- Update/DeferFeatureUpdatePeriodInDays
- Update/DeferQualityUpdatePeriodInDays
- Update/ExcludeWUDriversInQualityUpdate
- Update/PauseFeatureUpdates
- Update/PauseQualityUpdates
Here's the list of corresponding Group Policy settings in HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate.
|GPO key|Type|Value|
|--- |--- |--- |
|BranchReadinessLevel|REG_DWORD|16: systems take Feature Updates on the Current Branch (CB) train<br><br>32: systems take Feature Updates on the Current Branch for Business<br><br>Other value or absent: receive all applicable updates (CB)|
|DeferQualityUpdates|REG_DWORD|1: defer quality updates<br><br>Other value or absent: dont defer quality updates|
|DeferQualityUpdatesPeriodInDays|REG_DWORD|0-30: days to defer quality updates|
|PauseQualityUpdates|REG_DWORD|1: pause quality updates<br><br>Other value or absent: dont pause quality updates|
|DeferFeatureUpdates|REG_DWORD|1: defer feature updates<br><br>Other value or absent: dont defer feature updates|
|DeferFeatureUpdatesPeriodInDays|REG_DWORD|0-180: days to defer feature updates|
|PauseFeatureUpdates|REG_DWORD|1: pause feature updates<br><br>Other value or absent: dont pause feature updates|
|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude Windows Update drivers<br><br>Other value or absent: offer Windows Update drivers|
Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices.
- Update/RequireDeferUpgrade
- Update/DeferUpgradePeriod
- Update/DeferUpdatePeriod
- Update/PauseDeferrals
## <a href="" id="userexperiencescreenshot"></a>Update management user experience screenshot
The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields.
![mdm update management screenshot.](images/deviceupdatescreenshot1.png)
![mdm update management metadata screenshot.](images/deviceupdatescreenshot2.png)
## <a href="" id="syncmlexample"></a>SyncML example
Set auto update to notify and defer.
```xml
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace xmlns="">
<CmdID>1</CmdID>
<Item>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/AllowUpdateService</LocURI>
</Target>
<Data>0</Data>
</Item>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade </LocURI>
</Target>
<Data>0</Data>
</Item>
<CmdID>3</CmdID>
<Item>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/RequireUpdateApproval </LocURI>
</Target>
<Data>0</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
## Process flow diagram and screenshots of server sync process
The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog.
![mdm device update management screenshot3.](images/deviceupdatescreenshot3.png)
![mdm device update management screenshot4](images/deviceupdatescreenshot4.png)
![mdm device update management screenshot5](images/deviceupdatescreenshot5.png)
![mdm device update management screenshot6](images/deviceupdatescreenshot6.png)
![mdm device update management screenshot7](images/deviceupdatescreenshot7.png)
![mdm device update management screenshot8](images/deviceupdatescreenshot8.png)
![mdm device update management screenshot9](images/deviceupdatescreenshot9.png)

287
windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
View File

@ -1,287 +0,0 @@
---
title: Diagnose MDM failures in Windows 10
description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 06/25/2018
ms.collection: highpri
---
# Diagnose MDM failures in Windows 10
To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop. The following sections describe the procedures for collecting MDM logs.
## Download the MDM Diagnostic Information log from Windows 10 PCs
1. On your managed device, go to **Settings** > **Accounts** > **Access work or school**.
1. Click your work or school account, then click **Info.**
![Access work or school page in Settings.](images/diagnose-mdm-failures15.png)
1. At the bottom of the **Settings** page, click **Create report**.
![Access work or school page and then Create report.](images/diagnose-mdm-failures16.png)
1. A window opens that shows the path to the log files. Click **Export**.
![Access work or school log files.](images/diagnose-mdm-failures17.png)
1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report.
## Use command to collect logs directly from Windows 10 PCs
You can also collect the MDM Diagnostic Information logs using the following command:
```xml
mdmdiagnosticstool.exe -area "DeviceEnrollment;DeviceProvisioning;Autopilot" -zip "c:\users\public\documents\MDMDiagReport.zip"
```
- In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report.
### Understanding zip structure
The zip file will have logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning and Autopilot areas. It applies to the zip files collected via command line or Feedback Hub
- DiagnosticLogCSP_Collector_Autopilot_*: Autopilot etls
- DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider)
- MDMDiagHtmlReport.html: Summary snapshot of MDM space configurations and policies. Includes, management url, MDM server device ID, certificates, policies.
- MdmDiagLogMetadata, json: mdmdiagnosticstool metadata file, contains command-line arguments used to run the tool
- MDMDiagReport.xml: contains a more detail view into the MDM space configurations, e.g enrollment variables
- MdmDiagReport_RegistryDump.reg: contains dumps from common MDM registry locations
- MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command
- *.evtx: Common event viewer logs microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin.evtx main one that contains MDM events.
## Collect logs directly from Windows 10 PCs
Starting with the Windows 10, version 1511, MDM logs are captured in the Event Viewer in the following location:
- Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider
Here's a screenshot:
![mdm event viewer.](images/diagnose-mdm-failures1.png)
In this location, the **Admin** channel logs events by default. However, if you need more details logs you can enable **Debug** logs by choosing **Show Analytic and Debug** logs option in **View** menu in Event Viewer.
### Collect admin logs
1. Right click on the **Admin** node.
2. Select **Save all events as**.
3. Choose a location and enter a filename.
4. Click **Save**.
5. Choose **Display information for these languages** and then select **English**.
6. Click **Ok**.
For more detailed logging, you can enable **Debug** logs. Right click on the **Debug** node and then click **Enable Log**.
### Collect debug logs
1. Right click on the **Debug** node.
2. Select **Save all events as**.
3. Choose a location and enter a filename.
4. Click **Save**.
5. Choose **Display information for these languages** and then select **English**.
6. Click **Ok**.
You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC running the November 2015 update.
## Collect logs remotely from Windows 10 PCs
When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this facility. The [DiagnosticLog CSP](diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels:
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FAdmin
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug
Example: Enable the Debug channel logging
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug/State</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
Example: Export the Debug logs
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug/Export</LocURI>
</Target>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
```
## Collect logs remotely from Windows 10 Holographic
For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md).
You can use the DiagnosticLog CSP to enable the ETW provider. The provider ID is 3DA494E4-0FE2-415C-B895-FB5265C5C83B. The following examples show how to enable the ETW provider:
Add a collector node
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/MDM</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
Add the ETW provider to the trace
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/MDM/Providers/3DA494E4-0FE2-415C-B895-FB5265C5C83B</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
Start collector trace logging
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/MDM/TraceControl</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>START</Data>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
```
Stop collector trace logging
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/MDM/TraceControl</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>STOP</Data>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
```
After the logs are collected on the device, you can retrieve the files through the MDM channel using the FileDownload portion of the DiagnosticLog CSP. For details, see [DiagnosticLog CSP](diagnosticlog-csp.md).
## View logs
For best results, ensure that the PC or VM on which you're viewing logs matches the build of the OS from which the logs were collected.
1. Open eventvwr.msc.
2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**.
![event viewer screenshot.](images/diagnose-mdm-failures9.png)
3. Navigate to the etl file that you got from the device and then open the file.
4. Click **Yes** when prompted to save it to the new log format.
![event viewer prompt.](images/diagnose-mdm-failures10.png)
![diagnose mdm failures.](images/diagnose-mdm-failures11.png)
5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu.
![event viewer actions.](images/diagnose-mdm-failures12.png)
6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**.
![event filter for Device Management.](images/diagnose-mdm-failures13.png)
7. Now you're ready to start reviewing the logs.
![event viewer review logs.](images/diagnose-mdm-failures14.png)
## Collect device state data
Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](diagnosticlog-csp.md), version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files.
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/DeviceStateData/MdmConfiguration</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>SNAP</Data>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
```

159
windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
View File

@ -1,159 +0,0 @@
---
title: Disconnecting from the management infrastructure (unenrollment)
description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server.
MS-HAID:
- 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_'
- 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment'
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 06/26/2017
---
# Disconnecting from the management infrastructure (unenrollment)
The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account.
The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after theyve left the company or because the device is regularly failing to comply with the organizations security settings policy.
During disconnection, the client executes the following tasks:
- Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well.
- Removes certificates that are configured by MDM server.
- Ceases enforcement of the settings policies applied by the management infrastructure.
- Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure.
- Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort.
## In this topic
- [User-initiated disconnection](#user-initiated-disconnection)
- [Server-initiated disconnection](#server-initiated-disconnection)
- [Unenrollment from Work Access settings page](#unenrollment-from-work-access-settings-page)
- [IT adminrequested disconnection](#it-admin-requested-disconnection)
- [Unenrollment from Azure Active Directory Join](#dataloss)
## User-initiated disconnection
In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This notification is a best-effort action as no retry is built-in to ensure the notification is successfully sent to the device.
This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work.
> [!NOTE]
> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).
 
The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**.
After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DM client starts a DM session, including a user unenroll generic alert in the first package that it sends to the server.
The following sample shows an OMA DM first package that contains a generic alert message. For more information on WP OMA DM support, see the [OMA DM protocol support](oma-dm-protocol-support.md) topic.
```
<SyncML xmlns=&#39;SYNCML:SYNCML1.2&#39;>
<SyncHdr>
<VerDTD>1.2</VerDTD>
<VerProto>DM/1.2</VerProto>
<SessionID>1</SessionID>
<MsgID>1</MsgID>
<Target>
<LocURI>{unique device ID}</LocURI>
</Target>
<Source>
<LocURI>https://www.thephone-company.com/mgmt-server</LocURI>
</Source>
</SyncHdr>
<SyncBody>
<Alert>
<CmdID>2</CmdID>
<Data>1226</Data> <!-- generic alert -->
<Item>
<Meta>
<Type xmlns="syncml:metinfo"> com.microsoft:mdm.unenrollment.userrequest</Type>
<Format xmlns= "syncml:metinfo">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Alert>
<!-- other device information -->
<Replace>
<CmdID>2</CmdID>
<Item>
<Source>
<LocURI>./DevInfo/DevID</LocURI>
</Source>
<Data>{unique device ID}</Data>
</Item>
<Item>
...
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
After the previous package is sent, the unenrollment process begins.
## Server-initiated disconnection
When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server will not get a response for the unenrollment, instead a generic alert notification is sent with messageid=1.
```xml
<Alert>
<CmdID>4</CmdID>
<Data>1226</Data>
<Item>
<Meta>
<Type xmlns="syncml:metinf">com.microsoft:mdm.unenrollment.userrequest</Type>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Alert>
```
<a href="" id="work-access"></a>
## Unenrollment from Work Access settings page
If the user is enrolled into MDM using an Azure Active Directory (AAD Join or by adding a Microsoft work account), the MDM account will show up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the Azure AD association to the device.
You can only use the Work Access page to unenroll under the following conditions:
- Enrollment was done using bulk enrollment.
- Enrollment was created using the Work Access page.
<a href="" id="dataloss"></a>
## Unenrollment from Azure Active Directory Join
When a user is enrolled into MDM through Azure Active Directory Join and later, the enrollment disconnects, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
![aadj unenerollment.](images/azure-ad-unenrollment.png)
During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state.
Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation.
In mobile devices, remote unenrollment for Azure Active Directory Joined devices will fail. To remove corporate content from these devices, we recommend you remotely wipe the device.
<a href="" id="it-admin-requested-disconnection"></a>
## IT adminrequested disconnection
The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service providers Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic.
When the disconnection is completed, the user is notified that the device has been disconnected from enterprise management.
 

166
windows/client-management/mdm/dmprocessconfigxmlfiltered.md
View File

@ -1,166 +0,0 @@
---
title: DMProcessConfigXMLFiltered function
description: Learn how the DMProcessConfigXMLFiltered function configures phone settings by using OMA Client Provisioning XML.
Search.Refinement.TopicID: 184
ms.reviewer:
manager: aaroncz
topic_type:
- apiref
api_name:
- DMProcessConfigXMLFiltered
api_location:
- dmprocessxmlfiltered.dll
api_type:
- DllExport
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 06/26/2017
---
# DMProcessConfigXMLFiltered function
> [!Important]
> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. For more information about the new process for provisioning connectivity configuration, see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)). However, this function is still supported for other OEM uses.
Configures phone settings by using OMA Client Provisioning XML. Use of this function is strictly limited to the following scenarios.
- Adding dynamic credentials for OMA Client Provisioning.
- Manufacturing test applications. These applications and the supporting drivers must be removed from the phones before they're sold.
Microsoft recommends that this function isn't used to configure the following types of settings:
- Security settings that are configured using CertificateStore, SecurityPolicy, and RemoteWipe, unless they're related to OMA DM or OMA Client Provisioning security policies
- Non-cellular data connection settings (such as Hotspot settings).
- File system files and registry settings, unless they're used for OMA DM account management, mobile operator data connection settings, or manufacturing tests
- Email settings
> [!Note]
> The **DMProcessConfigXMLFiltered** function has full functionality in Windows Phone 8.1, but it has a read-only functionality in Windows 10.
## Syntax
```C++
HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered(
LPCWSTR pszXmlIn,
const WCHAR **rgszAllowedCspNode,
const DWORD dwNumAllowedCspNodes,
BSTR *pbstrXmlOut
);
```
## Parameters
*pszXmlIn*
- [in] The nullterminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. **DMProcessConfigXMLFiltered** accepts only OMA Client Provisioning XML (also known as WAP provisioning). It doesn't accept OMA DM SyncML XML (also known as SyncML).
*rgszAllowedCspNode*
- [in] Array of `WCHAR` that specify which configuration service provider nodes can be invoked.
*dwNumAllowedCspNodes*
- [in] Number of elements passed in <em>rgszAllowedCspNode</em>.
*pbstrXmlOut*
- [out] The resulting nullterminated XML from configuration. The caller of **DMProcessConfigXMLFiltered** is responsible for cleanup of the output buffer that the <em>pbstrXmlOut</em> parameter references. Use <a href="/windows/win32/api/oleauto/nf-oleauto-sysfreestring" data-raw-source="[**SysFreeString**](/windows/win32/api/oleauto/nf-oleauto-sysfreestring)">**SysFreeString**</a> to free the memory.
If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document doesn't contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned.
## Return value
Returns the standard **HRESULT** value **S\_OK** to indicate success. The following table shows more error codes that can be returned:
|Return code|Description|
|--- |--- |
|**CONFIG_E_OBJECTBUSY**|Another instance of the configuration management service is currently running.|
|**CONFIG_E_ENTRYNOTFOUND**|No metabase entry was found.|
|**CONFIG_E_CSPEXCEPTION**|An exception occurred in one of the configuration service providers.|
|**CONFIG_E_TRANSACTIONINGFAILURE**|A configuration service provider failed to roll back properly. The affected settings might be in an unknown state.|
|**CONFIG_E_BAD_XML**|The XML input is invalid or malformed.|
## Remarks
The processing of the XML is transactional. Either the entire document gets processed successfully, or none of the settings are processed. So, the **DMProcessConfigXMLFiltered** function processes only one XML configuration request at a time.
The usage of **DMProcessConfigXMLFiltered** depends on the configuration service providers that are used. For example, if the input `.provxml` contains the following two settings:
``` XML
<wap-provisioningdoc>
<characteristic type="NAPDEF">
<characteristic type="Internet" mwid="1">
<parm name="NAME" value="Contoso Internet APN"/>
<parm name="BEARER" value="GSM-GPRS"/>
<parm name="NAP-ADDRESS" value="wap.contoso"/>
<parm name="NAP-ADDRTYPE" value="APN"/>
<parm name="INTERNET" value="1"/>
</characteristic>
</characteristic>
<characteristic type="BrowserFavorite">
<characteristic type="Contoso">
<parm name="URL" value="http://www.contoso.com"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
Then, the second parameter in the call to **DMProcessConfigXMLFiltered** would have to have the following definition.
``` C++
LPCWSTR rgszAllowedCspNodes[] =
{
L"NAPDEF",
L"BrowserFavorite"
};
```
This array of configuration service provider names indicates which `.provxml` contents should be present. If the provxml contains "EMAIL2" provisioning but *rgszAllowedCspNodes* doesn't contain EMAIL2, then **DMProcessConfigXMLFiltered** fails with an **E\_ACCESSDENIED** error code.
The following code sample shows how this array would be passed in. The *szProvxmlContent* doesn't show the full XML contents for brevity. In actual usage, the "…" would contain the full XML string shown above.
``` C++
WCHAR szProvxmlContent[] = L"<wap-provisioningdoc>...</wap-provisioningdoc>";
BSTR bstr = NULL;
HRESULT hr = DMProcessConfigXMLFiltered(
szProvxmlContent,
rgszAllowedCspNodes,
_countof(rgszAllowedCspNodes),
&bstr
);
/* check error */
if ( bstr != NULL )
{
SysFreeString( bstr );
bstr = NULL;
}
```
## Requirements
|Requirement|Support|
|--- |--- |
|Minimum supported client|None supported|
|Minimum supported server|None supported|
|Minimum supported phone|Windows Phone 8.1|
|Header|Dmprocessxmlfiltered.h|
|Library|Dmprocessxmlfiltered.lib|
|DLL|Dmprocessxmlfiltered.dll|
## See also
[**SysFreeString**](/windows/win32/api/oleauto/nf-oleauto-sysfreestring)

289
windows/client-management/mdm/eap-configuration.md
View File

@ -1,289 +0,0 @@
---
title: EAP configuration
description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows 10.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 06/26/2017
---
# EAP configuration
This article provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including information about EAP certificate filtering in Windows 10.
## Create an EAP configuration XML for a VPN profile
To get the EAP configuration from your desktop using the rasphone tool that is shipped in the box:
1. Run rasphone.exe.
![vpnv2 rasphone.](images/vpnv2-csp-rasphone.png)
1. If you don't currently have a VPN connection and you see the following message, select **OK**.
![vpnv2 csp network connections.](images/vpnv2-csp-networkconnections.png)
1. In the wizard, select **Workplace network**.
![vpnv2 csp set up connection.](images/vpnv2-csp-setupnewconnection.png)
1. Enter an Internet address and connection name. These details can be fake since it doesn't impact the authentication parameters.
![vpnv2 csp set up connection 2.](images/vpnv2-csp-setupnewconnection2.png)
1. Create a fake VPN connection. In the UI shown here, select **Properties**.
![vpnv2 csp choose nw connection.](images/vpnv2-csp-choosenetworkconnection.png)
1. In the **Test Properties** dialog, select the **Security** tab.
![vpnv2 csp test props.](images/vpnv2-csp-testproperties.png)
1. On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**.
![vpnv2 csp test props2.](images/vpnv2-csp-testproperties2.png)
1. From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed.
![vpnv2 csp test props3.](images/vpnv2-csp-testproperties3.png)![vpnv2 csp test props4](images/vpnv2-csp-testproperties4.png)
1. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
```powershell
Get-VpnConnection -Name Test
```
<a href="" id="pow"></a>Here's an example output.
``` syntax
Name : Test
ServerAddress : 1.1.1.1
AllUserConnection : False
Guid : {EC87F6C9-8823-416C-B92B-517D592E250F}
TunnelType : Automatic
AuthenticationMethod : {Eap}
EncryptionLevel : Optional
L2tpIPsecAuth : Certificate
UseWinlogonCredential : False
EapConfigXmlStream : #document
ConnectionStatus : Disconnected
RememberCredential : True
SplitTunneling : False
DnsSuffix :
IdleDisconnectSeconds : 0
```
```powershell
$a = Get-VpnConnection -Name Test
```
```powershell
$a.EapConfigXmlStream.InnerXml
```
Here's an example output.
```xml
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.co
m/provisioning/EapCommon">13</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorTy
pe xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisi
oning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="h
ttp://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.co
m/provisioning/EapTlsConnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleCertSel
ection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPr
omptForServerValidation><ServerNames></ServerNames></ServerValidation><DifferentUsername>false</DifferentUsername><Perform
ServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
<AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</AcceptServerName><TLSEx
tensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"><FilteringInfo xmlns="http://www.micro
soft.com/provisioning/EapTlsConnectionPropertiesV3"><ClientAuthEKUList Enabled="true" /><AnyPurposeEKUList Enabled="true"
/></FilteringInfo></TLSExtensions></EapType></Eap></Config></EapHostConfig>
```
> [!NOTE]
> You should check with Mobile Device Management (MDM) vendor, if you need to pass this XML in escaped format. The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
> - C:\\Windows\\schemas\\EAPHost
> - C:\\Windows\\schemas\\EAPMethods
## EAP certificate filtering
In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned doesn't have a strict filtering criteria, you might see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria so that it matches only one certificate.
Enterprises deploying certificate-based EAP authentication for VPN and Wi-Fi can encounter a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as:
- The user might be prompted to select the certificate.
- The wrong certificate might be auto-selected and cause an authentication failure.
A production ready deployment must have appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP configuration XML such that the extraneous certificates are filtered out and appropriate certificate can be used for the authentication.
EAP XML must be updated with relevant information for your environment. This task can be done manually by editing the following XML sample or by using the step-by-step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
- For Wi-Fi, look for the `<EAPConfig>` section of your current WLAN Profile XML. (This section is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags, you'll find the complete EAP configuration. Replace the section under `<EAPConfig>` with your updated XML and update your Wi-Fi profile. You can refer to your MDMs guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP configuration is a separate field in the MDM configuration. Work with your MDM provider to identify and update the appropriate field.
For information about EAP settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>.
For information about generating an EAP XML, see the EAP configuration article.
For more information about extended key usage (EKU), see <https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12>.
For information about adding EKU to a certificate, see <https://technet.microsoft.com/library/cc731792.aspx>.
The following list describes the prerequisites for a certificate to be used with EAP:
- The certificate must have at least one of the following EKU properties:
- Client Authentication: As defined by RFC 5280, this property is a well-defined OID with value 1.3.6.1.5.5.7.3.2.
- Any Purpose: This property is an EKU-defined one and is published by Microsoft. It is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering.
- All Purpose: As defined by RFC 5280, if a CA includes EKUs to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an EKU value of 0. A certificate with such an EKU can be used for all purposes.
- The user or the computer certificate on the client must chain to a trusted root CA.
- The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
- The user or the computer certificate doesn't fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.
The following XML sample explains the properties for the EAP TLS XML, including certificate filtering.
> [!NOTE]
> For PEAP or TTLS profiles, the EAP TLS XML is embedded within some PEAP-specific or TTLS-specific elements.
 
```xml
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
<!--The above property defines the Method type for EAP, 13 means EAP TLS -->
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
<!--The 3 properties above define the method publishers, this is seen primarily in 3rd party Vendor methods.-->
<!-- For Microsoft EAP TLS the value of the above fields will always be 0 -->
</EapMethod>
<!-- Now that the EAP Method is Defined we will go into the Configuration -->
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>13</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<!-- Credential Source can be either CertificateStore or SmartCard -->
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
<!--SimpleCertSelection automatically selects a cert if there are mutiple identical (Same UPN, Issuer, etc.) certs.-->
<!--It uses a combination of rules to select the right cert-->
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<!-- ServerValidation fields allow for checks on whether the server being connected to and the server cert being used are trusted -->
<DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
<ServerNames/>
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation>
<AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
<TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
<!-- For filtering the relevant information is below -->
<FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
<CAHashList Enabled="true">
<!-- The above implies that you want to filter by Issuer Hash -->
<IssuerHash>ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
<!-- Issuing certs thumbprint goes here-->
</IssuerHash>
<!-- You can add multiple entries and it will find the list of certs that have at least one of these certs in its chain-->
</CAHashList>
<EKUMapping>
<!-- This section defines Custom EKUs that you may be adding-->
<!-- You do not need this section if you do not have custom EKUs -->
<!-- You can have multiple EKUs defined here and then referenced below as shown -->
<EKUMap>
<EKUName>
<!--Add a friendly Name for an EKU here for example -->ContostoITEKU</EKUName>
<EKUOID>
<!--Add the OID Value your CA adds to the certificate here, for example -->1.3.6.1.4.1.311.42.1.15</EKUOID>
</EKUMap>
<!-- All the EKU Names referenced in the example below must first be defined here
<EKUMap>
<EKUName>Example1</EKUName>
<EKUOID>2.23.133.8.3</EKUOID>
</EKUMap>
<EKUMap>
<EKUName>Example2</EKUName>
<EKUOID>1.3.6.1.4.1.311.20.2.1</EKUOID>
</EKUMap>
-->
</EKUMapping>
<ClientAuthEKUList Enabled="true">
<!-- The above implies that you want certs with Client Authentication EKU to be used for authentication -->
<EKUMapInList>
<!-- This section implies that the certificate should have the following custom EKUs in addition to the Client Authentication EKU -->
<EKUName>
<!--Use the name from the EKUMap Field above-->ContostoITEKU</EKUName>
</EKUMapInList>
<!-- You can have multiple Custom EKUs mapped here, Each additional EKU will be processed with an AND operand -->
<!-- For example, Client Auth EKU AND ContosoITEKU AND Example1 etc. -->
<EKUMapInList>
<EKUName>Example1</EKUName>
</EKUMapInList>
</ClientAuthEKUList>
<AllPurposeEnabled>true</AllPurposeEnabled>
<!-- Implies that a certificate with the EKU field = 0 will be selected -->
<AnyPurposeEKUList Enabled="true"/>
<!-- Implies that a certificate with the EKU oid Value of 1.3.6.1.4.1.311.10.12.1 will be selected -->
<!-- Like for Client Auth you can also add Custom EKU properties with AnyPurposeEKUList (but not with AllPurposeEnabled) -->
<!-- So here is what the above policy implies.
The certificate selected will have
Issuer Thumbprint = ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
AND
((Client Authentication EKU AND ContosoITEKU) OR (AnyPurposeEKU) OR AllPurpose Certificate)
Any certificate(s) that match these criteria will be utilised for authentication
-->
</FilteringInfo>
</TLSExtensions>
</EapType>
</Eap>
</Config>
</EapHostConfig>
```
> [!NOTE]
> The EAP TLS XSD is located at %systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd.
 
Alternatively, you can use the following procedure to create an EAP configuration XML:
1. Follow steps 1 through 7 in the EAP configuration article.
1. In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this value selects EAP TLS).
![vpn self host properties window.](images/certfiltering1.png)
> [!NOTE]
> For PEAP or TTLS, select the appropriate method and continue following this procedure.
 
1. Select the **Properties** button underneath the drop-down menu.
1. On the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
![smart card or other certificate properties window.](images/certfiltering2.png)
1. On the **Configure Certificate Selection** menu, adjust the filters as needed.
![configure certificate window.](images/certfiltering3.png)
1. Select **OK** to close the windows and get back to the main rasphone.exe dialog box.
1. Close the rasphone dialog box.
1. Continue following the procedure in the EAP configuration article from step 9 to get an EAP TLS profile with appropriate filtering.
> [!NOTE]
> You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)) article.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

311
windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
View File

@ -1,311 +0,0 @@
---
title: Enable ADMX policies in MDM
description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM).
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 11/01/2017
ms.reviewer:
manager: aaroncz
---
# Enable ADMX policies in MDM
Here's how to configure Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM).
Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](./policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
Summary of steps to enable a policy:
- Find the policy from the list ADMX policies.
- Find the Group Policy related information from the MDM policy description.
- Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy.
- Create the data payload for the SyncML.
See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX policies using Microsoft Intune](/archive/blogs/senthilkumar/intune-deploying-admx-backed-policies-using-microsoft-intune) for a walk-through using Intune.
<!-- >[!TIP] -->
<!-- >Intune has added a number of ADMX administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](/intune/administrative-templates-windows) -->
## Enable a policy
> [!NOTE]
> See [Understanding ADMX policies in Policy CSP](./understanding-admx-backed-policies.md).
1. Find the policy from the list [ADMX policies](./policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description.
- GP Friendly name
- GP name
- GP ADMX file name
- GP path
2. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc
1. Click **Start**, then in the text box type **gpedit**.
2. Under **Best match**, click **Edit group policy** to launch it.
![GPEdit search.](images/admx-gpedit-search.png)
3. In **Local Computer Policy** navigate to the policy you want to configure.
In this example, navigate to **Administrative Templates > System > App-V**.
![App-V policies.](images/admx-appv.png)
4. Double-click **Enable App-V Client**.
The **Options** section is empty, which means there are no parameters necessary to enable the policy. If the **Options** section isn't empty, follow the procedure in [Enable a policy that requires parameters](#enable-a-policy-that-requires-parameters)
![Enable App-V client.](images/admx-appv-enableapp-vclient.png)
3. Create the SyncML to enable the policy that doesn't require any parameter.
In this example, you configure **Enable App-V Client** to **Enabled**.
> [!NOTE]
> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppVClient </LocURI>
</Target>
<Data><Enabled/></Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
## Enable a policy that requires parameters
1. Create the SyncML to enable the policy that requires parameters.
In this example, the policy is in **Administrative Templates > System > App-V > Publishing**.
1. Double-click **Publishing Server 2 Settings** to see the parameters you need to configure when you enable this policy.
![Enable publishing server 2 policy.](images/admx-appv-publishingserver2.png)
![Enable publishing server 2 settings.](images/admx-app-v-enablepublishingserver2settings.png)
2. Find the variable names of the parameters in the ADMX file.
You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
![Publishing server 2 policy description.](images/admx-appv-policy-description.png)
3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the ADMX files) and open appv.admx.
4. Search for GP name **Publishing_Server2_policy**.
5. Under **policy name="Publishing_Server2_Policy"** you can see the \<elements> listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor.
Here's the snippet from appv.admx:
```xml
<!-- Publishing Server 2 -->
<policy name="Publishing_Server2_Policy" class="Machine" displayName="$(string.PublishingServer2)"
explainText="$(string.Publishing_Server_Help)" presentation="$(presentation.Publishing_Server2)"
key="SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\2">
<parentCategory ref="CAT_Publishing" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<text id="Publishing_Server2_Name_Prompt" valueName="Name" required="true"/>
<text id="Publishing_Server_URL_Prompt" valueName="URL" required="true"/>
<enum id="Global_Publishing_Refresh_Options" valueName="GlobalEnabled">
<item displayName="$(string.False)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.True)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
<enum id="Global_Refresh_OnLogon_Options" valueName="GlobalLogonRefresh">
<item displayName="$(string.False)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.True)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
<decimal id="Global_Refresh_Interval_Prompt" valueName="GlobalPeriodicRefreshInterval" minValue="0" maxValue="31"/>
<enum id="Global_Refresh_Unit_Options" valueName="GlobalPeriodicRefreshIntervalUnit">
<item displayName="$(string.Hour)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.Day)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
<enum id="User_Publishing_Refresh_Options" valueName="UserEnabled">
<item displayName="$(string.False)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.True)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
<enum id="User_Refresh_OnLogon_Options" valueName="UserLogonRefresh">
<item displayName="$(string.False)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.True)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
<decimal id="User_Refresh_Interval_Prompt" valueName="UserPeriodicRefreshInterval" minValue="0" maxValue="31"/>
<enum id="User_Refresh_Unit_Options" valueName="UserPeriodicRefreshIntervalUnit">
<item displayName="$(string.Hour)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.Day)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
</elements>
</policy>
```
6. From the **\<elements>** tag, copy all of the *text id* and *enum id* and create an XML with *data id* and *value* fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor.
Here's the example XML for Publishing_Server2_Policy:
```xml
<data id="Publishing_Server2_Name_Prompt" value="Name"/>
<data id="Publishing_Server_URL_Prompt" value="http://someuri"/>
<data id="Global_Publishing_Refresh_Options" value="1"/>
<data id="Global_Refresh_OnLogon_Options" value="0"/>
<data id="Global_Refresh_Interval_Prompt" value="15"/>
<data id="Global_Refresh_Unit_Options" value="0"/>
<data id="User_Publishing_Refresh_Options" value="0"/>
<data id="User_Refresh_OnLogon_Options" value="0"/>
<data id="User_Refresh_Interval_Prompt" value="15"/>
<data id="User_Refresh_Unit_Options" value="1"/>
```
7. Create the SyncML to enable the policy. Payload contains \<enabled/> and name/value pairs.
Here's the example for **AppVirtualization/PublishingAllowServer2**:
> [!NOTE]
> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
```xml
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
</Target>
<Data>
<![CDATA[<enabled/><data id="Publishing_Server2_Name_Prompt" value="name prompt"/><data
id="Publishing_Server_URL_Prompt" value="URL prompt"/><data
id="Global_Publishing_Refresh_Options" value="1"/><data
id="Global_Refresh_OnLogon_Options" value="0"/><data
id="Global_Refresh_Interval_Prompt" value="15"/><data
id="Global_Refresh_Unit_Options" value="0"/><data
id="User_Publishing_Refresh_Options" value="0"/><data
id="User_Refresh_OnLogon_Options" value="0"/><data
id="User_Refresh_Interval_Prompt" value="15"/><data
id="User_Refresh_Unit_Options" value="1"/>]]>
</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
## Disable a policy
The \<Data> payload is \<disabled/>. Here is an example to disable AppVirtualization/PublishingAllowServer2.
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
</Target>
<Data><disabled/></Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
## Setting a policy to not configured
The \<Data> payload is empty. Here an example to set AppVirtualization/PublishingAllowServer2 to "Not Configured."
```xml
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
```

312
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -1,312 +0,0 @@
---
title: Enroll a Windows 10 device automatically using Group Policy
description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices.
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 04/30/2022
ms.reviewer:
manager: aaroncz
ms.collection: highpri
---
# Enroll a Windows 10 device automatically using Group Policy
**Applies to:**
- Windows 10
Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices.
The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
Requirements:
- Active Directory-joined PC running Windows 10, version 1709 or later
- The enterprise has configured a mobile device management (MDM) service
- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad)
- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. For more information, see [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan).
> [!TIP]
> For more information, see the following topics:
> - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
> - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
> - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md)
The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure ADregistered.
> [!NOTE]
> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
In Windows 10, version 1709 or later, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM. Since Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins).
For this policy to work, you must verify that the MDM service provider allows Group Policy initiated MDM enrollment for domain-joined devices.
## Verify auto-enrollment requirements and settings
To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly.
The following steps demonstrate required settings using the Intune service:
1. Verify that the user who is going to enroll the device has a valid [Intune license](/mem/intune/fundamentals/licenses).
:::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png":::
2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png)
> [!IMPORTANT]
> For bring-your-own devices (BYOD devices), the Mobile Application Management (MAM) user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
>
> For corporate-owned devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
3. Verify that the device OS version is Windows 10, version 1709 or later.
4. Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line.
You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**.
![Auto-enrollment device status result.](images/auto-enrollment-device-status-result.png)
Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**.
![Auto-enrollment Azure AD prt verification.](images/auto-enrollment-azureadprt-verification.png)
This information can also be found on the Azure AD device list.
![Azure AD device list.](images/azure-ad-device-list.png)
5. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png)
6. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**.
:::image type="content" alt-text="Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png":::
7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune.
You may contact your domain administrators to verify if the group policy has been deployed successfully.
8. Verify that the device isn't enrolled with the old Intune client used on the Intune Silverlight Portal (the Intune portal used before the Azure portal).
9. Verify that Microsoft Intune should allow enrollment of Windows devices.
:::image type="content" alt-text="Enrollment of Windows devices." source="images/auto-enrollment-enrollment-of-windows-devices.png" lightbox="images/auto-enrollment-enrollment-of-windows-devices.png":::
## Configure the auto-enrollment Group Policy for a single PC
This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
Requirements:
- AD-joined PC running Windows 10, version 1709 or later
- Enterprise has MDM service already configured
- Enterprise AD must be registered with Azure AD
1. Run `GPEdit.msc`. Choose **Start**, then in the text box type `gpedit`.
![GPEdit desktop app search result.](images/autoenrollment-gpedit.png)
2. Under **Best match**, select **Edit group policy** to launch it.
3. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**.
:::image type="content" alt-text="MDM policies." source="images/autoenrollment-mdm-policies.png" lightbox="images/autoenrollment-mdm-policies.png":::
4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the **Selected Credential Type to use**.
:::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png":::
5. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**.
> [!NOTE]
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. The default behavior for older releases is to revert to **User Credential**.
> **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop because the Intune subscription is user centric.
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called "Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory."
To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot.
![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png)
> [!Tip]
> You can avoid this behavior by using Conditional Access Policies in Azure AD.
Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview).
6. To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account.
7. Select **Info** to see the MDM enrollment information.
![Work School Settings.](images/autoenrollment-settings-work-school.png)
If you don't see the **Info** button or the enrollment information, enrollment might have failed. Check the status in [Task Scheduler app](#task-scheduler-app).
### Task Scheduler app
1. Select **Start**, then in the text box type `task scheduler`.
![Task Scheduler search result.](images/autoenrollment-task-schedulerapp.png)
2. Under **Best match**, select **Task Scheduler** to launch it.
3. In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**.
:::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png":::
To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). You can see the logs in the **History** tab.
If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy.
> [!NOTE]
> The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies.
## Configure the auto-enrollment for a group of devices
Requirements:
- AD-joined PC running Windows 10, version 1709 or later
- Enterprise has MDM service already configured (with Intune or a third-party service provider)
- Enterprise AD must be integrated with Azure AD.
- Ensure that PCs belong to same computer group.
> [!IMPORTANT]
> If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible.
1. Download:
- 1803 --> [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880)
- 1809 --> [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576)
- 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495)
- 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591)
- 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445)
- 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
- 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124)
- 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)](https://www.microsoft.com/download/103667)
2. Install the package on the Domain Controller.
3. Navigate, depending on the version to the folder:
- 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**
- 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**
- 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**
- 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)**
- 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)**
- 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)**
- 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)**
- 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update (21H2)**
4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`.
5. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`.
If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain.
6. Wait for the SYSVOL DFSR replication to be completed for the policy to be available.
This procedure will work for any future version as well.
1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
2. Create a Security Group for the PCs.
3. Link the GPO.
4. Filter using Security Groups.
## Troubleshoot auto-enrollment of devices
Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device.
To collect Event Viewer logs:
1. Open Event Viewer.
2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-Diagnostic-Provider** > **Admin**.
> [!Tip]
> For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc).
3. Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully:
:::image type="content" alt-text="Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png" lightbox="images/auto-enrollment-troubleshooting-event-id-75.png":::
If you can't find event ID 75 in the logs, it indicates that the auto-enrollment failed. This failure can happen because of the following reasons:
- The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here's an example screenshot that shows that the auto-enrollment failed:
:::image type="content" alt-text="Event ID 76." source="images/auto-enrollment-troubleshooting-event-id-76.png" lightbox="images/auto-enrollment-troubleshooting-event-id-76.png":::
To troubleshoot, check the error code that appears in the event. For more information, see [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors).
- The auto-enrollment didn't trigger at all. In this case, you'll not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section.
The auto-enrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot:
:::image type="content" alt-text="Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png":::
> [!Note]
> This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task.
This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs:
**Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Azure Active Directory is triggered by event ID 107.
:::image type="content" alt-text="Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png":::
When the task is completed, a new event ID 102 is logged.
:::image type="content" alt-text="Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png":::
The task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It doesn't indicate the success or failure of auto-enrollment.
If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Azure AD is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required.
One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
:::image type="content" alt-text="Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png":::
By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs** > **Microsoft** > **Windows** > **Task Scheduler** > **Operational** event log file under event ID 7016.
A resolution to this issue is to remove the registry key manually. If you don't know which registry key to remove, go for the key that displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot:
:::image type="content" alt-text="Manually deleted entries." source="images/auto-enrollment-activation-verification-less-entries.png" lightbox="images/auto-enrollment-activation-verification-less-entries.png":::
### Related topics
- [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
- [Create and Edit a Group Policy Object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754740(v=ws.11))
- [Link a Group Policy Object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732979(v=ws.11))
- [Filter Using Security Groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc752992(v=ws.11))
- [Enforce a Group Policy Object Link](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753909(v=ws.11))
- [Group Policy Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)
- [Getting started with Cloud Native Windows Endpoints](/mem/cloud-native-windows-endpoints)
- [A Framework for Windows endpoint management transformation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/a-framework-for-windows-endpoint-management-transformation/ba-p/2460684)
- [Success with remote Windows Autopilot and Hybrid Azure Active Director join](https://techcommunity.microsoft.com/t5/intune-customer-success/success-with-remote-windows-autopilot-and-hybrid-azure-active/ba-p/2749353)
### Useful Links
- [Windows 10 Administrative Templates for Windows 10 November 2021 Update 21H2](https://www.microsoft.com/download/103667)
- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124)
- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)

924
windows/client-management/mdm/enterprise-app-management.md
View File

@ -1,924 +0,0 @@
---
title: Enterprise app management
description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 10/04/2021
---
# Enterprise app management
This article covers one of the key mobile device management (MDM) features in Windows 10. It manages the lifecycle of apps across all of Windows. It's the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps.
## Application management goals
Windows 10 offers the ability for management servers to:
- Install apps directly from the Microsoft Store for Business
- Deploy offline Store apps and licenses
- Deploy line-of-business (LOB) apps (non-Store apps)
- Inventory all apps for a user (Store and non-Store apps)
- Inventory all apps for a device (Store and non-Store apps)
- Uninstall all apps for a user (Store and non-Store apps)
- Provision apps so they're installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
- Remove the provisioned app on the device running Windows 10 for desktop editions
## Inventory your apps
Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
- nonStore - Apps that weren't acquired from the Microsoft Store.
- System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried.
These classifications are represented as nodes in the EnterpriseModernAppManagement CSP.
The following information shows the EnterpriseModernAppManagement CSP in a tree format:
```console
./Device/Vendor/MSFT
or
./User/Vendor/MSFT
EnterpriseAppManagement
----AppManagement
--------UpdateScan
--------LastScanError
--------AppInventoryResults
--------AppInventoryQuery
--------RemovePackage
--------AppStore
----------PackageFamilyName
------------PackageFullName
--------------Name
--------------Version
--------------Publisher
--------------Architecture
--------------InstallLocation
--------------IsFramework
--------------IsBundle
--------------InstallDate
--------------ResourceID
--------------RequiresReinstall
--------------PackageStatus
--------------Users
--------------IsProvisioned
--------------IsStub
------------DoNotUpdate
------------AppSettingPolicy
--------------SettingValue
------------MaintainProcessorArchitectureOnUpdate
------------NonRemovable
----------ReleaseManagement
------------ReleaseManagementKey
--------------ChannelId
--------------ReleaseId
--------------EffectiveRelease
-----------------ChannelId
-----------------ReleaseId
--------nonStore
----------PackageFamilyName
------------PackageFullName
--------------Name
--------------Version
--------------Publisher
--------------Architecture
--------------InstallLocation
--------------IsFramework
--------------IsBundle
--------------InstallDate
--------------ResourceID
--------------RequiresReinstall
--------------PackageStatus
--------------Users
--------------IsProvisioned
--------------IsStub
------------DoNotUpdate
------------AppSettingPolicy
--------------SettingValue
------------MaintainProcessorArchitectureOnUpdate
------------NonRemoveable
--------System
----------PackageFamilyName
------------PackageFullName
--------------Name
--------------Version
--------------Publisher
--------------Architecture
--------------InstallLocation
--------------IsFramework
--------------IsBundle
--------------InstallDate
--------------ResourceID
--------------RequiresReinstall
--------------PackageStatus
--------------Users
--------------IsProvisioned
--------------IsStub
------------DoNotUpdate
------------AppSettingPolicy
--------------SettingValue
------------MaintainProcessorArchitectureOnUpdate
------------NonRemoveable
----AppInstallation
--------PackageFamilyName
----------StoreInstall
----------HostedInstall
----------LastError
----------LastErrorDesc
----------Status
----------ProgressStatus
----AppLicenses
--------StoreLicenses
----------LicenseID
------------LicenseCategory
------------LicenseUsage
------------RequesterID
------------AddLicense
------------GetLicenseFromStore
```
Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System).
Inventory can run recursively at any level from the AppManagement node through the package full name. Inventory can also run only for a specific inventory attribute.
Inventory is specific to the package full name and lists bundled packs and resources packs as applicable under the package family name.
Here are the nodes for each package full name:
- Name
- Version
- Publisher
- Architecture
- InstallLocation
- IsFramework
- IsBundle
- InstallDate
- ResourceID
- RequiresReinstall
- PackageStatus
- Users
- IsProvisioned
For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md).
### App inventory
You can use the EnterpriseModernAppManagement CSP to query for all apps installed for a user or device. The query returns all apps, even if they were installed using MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device.
Doing a full inventory of a device can be resource-intensive based on the hardware and number of apps that are installed. The data returned can also be large. You may want to chunk these requests to reduce the impact to clients and network traffic.
Here's an example of a query for all apps on the device.
```xml
<!-- Get all apps under AppManagement -->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
Here's an example of a query for a specific app for a user.
```xml
<!-- Get all information of a specific app for a user -->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
### Store license inventory
You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses, event if they were installed via MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device.
Here are the nodes for each license ID:
- LicenseCategory
- LicenseUsage
- RequestedID
For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md).
> [!NOTE]
> The LicenseID in the CSP is the content ID for the license.
Here's an example of a query for all app licenses on a device.
```xml
<!-- Get all app licenses for the device -->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
Here's an example of a query for all app licenses for a user.
```xml
<!-- Get a specific app license for a user -->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id}?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
## Enable the device to install non-Store apps
There are two basic types of apps you can deploy: Store apps and enterprise signed apps. To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment.
### Unlock the device for non-Store apps
To deploy apps that aren't from the Microsoft Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device if there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device, or a root certificate in the Trusted Root of the device. The policy isn't configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
For more information about the AllowAllTrustedApps policy, see [Policy CSP](policy-configuration-service-provider.md).
Here are some examples.
```xml
<!-- Get policy (Default)-->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Result/ApplicationManagement/AllowAllTrustedApps?list=StructData</LocURI>
</Target>
</Item>
</Get>
<!-- Update policy -->
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAllTrustedApps</LocURI>
</Target>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
```
### Unlock the device for developer mode
Development of apps on Windows 10 no longer requires a special license. You can enable debugging and deployment of non-packaged apps using ApplicationManagement/AllowDeveloperUnlock policy in Policy CSP.
AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock isn't configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
Deployment of apps to Windows 10 for desktop editions requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device.
For more information about the AllowDeveloperUnlock policy, see [Policy CSP](policy-configuration-service-provider.md).
Here's an example.
```xml
<!-- Get policy (Default)-->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Result/ApplicationManagement/AllowDeveloperUnlock?list=StructData</LocURI>
</Target>
</Item>
</Get>
<!-- Update policy -->
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowDeveloperUnlock</LocURI>
</Target>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
```
## Install your apps
You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store. Or, they're installed from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
### Deploy apps to user from the Store
To deploy an app to a user directly from the Microsoft Store, the management server runs an Add and Exec command on the AppInstallation node of the EnterpriseModernAppManagement CSP. This feature is only supported in the user context, and not supported in the device context.
If you purchased an app from the Store for Business and the app is specified for an online license, then the app and license must be acquired directly from the Microsoft Store.
Here are the requirements for this scenario:
- The app is assigned to a user Azure Active Directory (Azure AD) identity in the Store for Business. You can assign directly in the Store for Business or through a management server.
- The device requires connectivity to the Microsoft Store.
- Microsoft Store services must be enabled on the device. The UI for the Microsoft Store can be disabled by the enterprise admin.
- The user must be signed in with their Azure AD identity.
Here are some examples.
```xml
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/StoreInstall</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
</Meta>
<Data><Application id="{ProductID}" flags="0" skuid=" "/></Data>
</Item>
</Exec>
```
Here are the changes from the previous release:
1. The "{CatID}" reference should be updated to "{ProductID}". This value is acquired as a part of the Store for Business management tool.
2. The value for flags can be "0" or "1"
When using "0", the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1", the management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available.
3. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync.
### Deploy an offline license to a user
If you purchased an app from the Store for Business, the app license must be deployed to the device.
The app license only needs to be deployed as part of the initial installation of the app. During an update, only the app is deployed to the user.
In the SyncML, you need to specify the following information in the Exec command:
- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business.
- License Content - This content is specified in the data section. The License Content is the Base64 encoded blob of the license.
Here's an example of an offline license installation.
```xml
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/AddLicense</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
</Meta>
<Data><License Content="{LicenseBlob}"></Data>
</Item>
</Exec>
```
<a href="" id="deploy-from-hosted-loc"></a>
### Deploy apps to a user from a hosted location
If you purchased an app from the Store for Business and the app is specified for an offline license or the app is a non-Store app, the app must be deployed from a hosted location.
Here are the requirements for this scenario:
- The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (`https://contoso.com/app1.appx`).
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
- The device doesn't need to have connectivity to the Microsoft Store, store services, or have the Microsoft Store UI be enabled.
- The user must be logged in, but association with Azure AD identity isn't required.
> [!NOTE]
> You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
Here's an example of a line-of-business app installation.
```xml
<!-- Add PackageFamilyName -->
<Add>
<CmdID>0</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}</LocURI>
</Target>
</Item>
</Add>
<!-- Install appx -->
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
</Meta>
<Data><Application PackageUri="\\server\share\HelloWorld10.appx" /></Data>
</Item>
</Exec>
```
Here's an example of an app installation with dependencies.
```xml
<!-- Add PackageFamilyName -->
<Add>
<CmdID>0</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName</LocURI>
</Target>
</Item>
</Add>
<!-- Install appx with deployment options and framework dependencies-->
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
</Meta>
<Data>
<Application PackageUri="\\server\share\HelloWorld10.appx" DeploymentOptions="0" >
<Dependencies>
<Dependency PackageUri=”\\server\share\HelloWorldFramework.appx” />
<Dependency PackageUri=”\\server2\share\HelloMarsFramework.appx” />
</Dependencies>
</Application>
</Data>
</Item>
</Exec>
```
Here's an example of an app installation with dependencies and optional packages.
```xml
<!-- Add PackageFamilyName -->
<Add>
<CmdID>0</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName</LocURI>
</Target>
</Item>
</Add>
<!-- Install appx with deployment options and framework dependencies-->
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
</Meta>
<Data>
<Application PackageUri="\\server\share\HelloWorld10.appx" DeploymentOptions="0" >
<Dependencies>
<Dependency PackageUri=”\\server\share\HelloWorldFramework.appx” />
<Dependency PackageUri=”\\server2\share\HelloMarsFramework.appx” />
</Dependencies>
<OptionalPackages>
<Package PackageUri=”\\server\share\OptionalPackage1.appx”
PackageFamilyName="/{PackageFamilyName}" />
<Package PackageUri=”\\server2\share\OptionalPackage2.appx”
PackageFamilyName="/{PackageFamilyName}" />
</OptionalPackages>
</Application>
</Data>
</Item>
</Exec>
```
### Provision apps for all users of a device
Provisioning allows you to stage the app to the device and all users of the device can have the app registered on their next login. This feature is only supported for app purchased from the Store for Business, and the app is specified for an offline license or the app is a non-Store app. The app must be offered from a hosted location. The app is installed as a local system. To install to a local file share, the 'local system' of the device must have access to the share.
Here are the requirements for this scenario:
- The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (`https://contoso.com/app1.appx\`)
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
- The device doesn't need to have connectivity to the Microsoft Store, or store services enabled.
- The device doesn't need any Azure AD identity or domain membership.
- For nonStore app, your device must be unlocked.
- For Store offline apps, the required licenses must be deployed before deploying the apps.
To provision app for all users of a device from a hosted location, the management server runs an Add and Exec command on the AppInstallation node in the device context. The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
> [!NOTE]
> When you remove the provisioned app, it will not remove it from the users that already installed the app.
Here's an example of app installation.
> [!NOTE]
> This is only supported in Windows 10 for desktop editions.
```xml
<!-- Add PackageFamilyName -->
<Add>
<CmdID>0</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName</LocURI>
</Target>
</Item>
</Add>
<!-- Provision appx to device -->
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
</Meta>
<Data><Application PackageUri="\\server\share\HelloWorld10.appx" /></Data>
</Item>
</Exec>
```
The HostedInstall Exec command contains a Data node that requires an embedded XML. Here are the requirements for the data XML:
- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPS location.
- Dependencies can be specified if required to be installed with the package. This is optional.
The DeploymentOptions parameter is only available in the user context.
Here's an example of app installation with dependencies.
> [!NOTE]
> This is only supported in Windows 10 for desktop editions.
```xml
<!-- Add PackageFamilyName -->
<Add>
<CmdID>0</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName</LocURI>
</Target>
</Item>
</Add>
<!-- Provision appx with framework dependencies-->
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
</Meta>
<Data>
<Application PackageUri="\\server\share\HelloWorld10.appx" />
<Dependencies>
<Dependency PackageUri=”\\server\share\HelloWorldFramework.appx” />
<Dependency PackageUri="\\server2\share\HelloMarsFramework.appx"/>
</Dependencies>
</Application>
</Data>
</Item>
</Exec>
```
### Get status of app installations
When an app installation is completed, a Windows notification is sent. You can also query the status of using the AppInstallation node. Here's the list of information you can get back in the query:
- Status - indicates the status of app installation.
- NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed.
- INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated.
- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
- INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear.
- LastError - The last error reported by the app deployment server.
- LastErrorDescription - Describes the last error reported by the app deployment server.
- Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress.
Status isn't available for provisioning and only used for user-based installations. For provisioning, the value is always 0.
When an app is installed successfully, the node is cleaned up and no longer present. The status of the app can be reported under the AppManagement node.
Here's an example of a query for a specific app installation.
```xml
<!-- Get all app status under AppInstallation for a specific app-->
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
Here's an example of a query for all app installations.
```xml
<!-- Get all app status under AppInstallation-->
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
### Alert for installation completion
Application installations can take some time to complete. So, they're done asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
Here's an example of an alert.
```xml
<Alert>
<CmdID>4</CmdID>
<Data>1226</Data>
<Item>
<Source>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall</LocURI>
</Source>
<Meta>
<Type xmlns="syncml:metinf">Reversed-Domain-Name:com.microsoft.mdm.EnterpriseHostedAppInstall.result</Type>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Alert>
```
For user-based installation, use the ./User path and for provisioning of apps, use the ./Device path.
The Data field value of 0 (zero) indicates success. Otherwise it's an error code. If there's a failure, you can get more details from the AppInstallation node.
> [!NOTE]
> At this time, the alert for Store app installation isn't yet available.
## Uninstall your apps
You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes:
- AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business.
- nonStore - These apps that weren't acquired from the Microsoft Store.
- System - These apps are part of the OS. You can't uninstall these apps.
To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family name and package full name.
Here's an example for uninstalling all versions of an app for a user.
```xml
<!-- Uninstall App for a Package Family-->
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}</LocURI>
</Target>
</Item>
</Delete>
```
Here's an example for uninstalling a specific version of the app for a user.
```xml
<!-- Uninstall App for a specific package full name-->
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}</LocURI>
</Target>
</Item>
</Delete>
```
### Removed provisioned apps from a device
You can remove provisioned apps from a device for a specific version, or for all versions of a package family. When a provisioned app is removed, it isn't available to future users for the device. Logged in users who have the app registered to them will continue to have access to the app. If you want to remove the app for those users, you must explicitly uninstall the app for those users.
> [!NOTE]
> You can only remove an app that has an inventory value IsProvisioned = 1.
Removing provisioned app occurs in the device context.
Here's an example for removing a provisioned app from a device.
```xml
<!— Remove Provisioned App for a Package Family-->
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}</LocURI>
</Target>
</Item>
</Delete>
```
Here's an example for removing a specific version of a provisioned app from a device:
```xml
<!-- Remove Provisioned App for a specific package full name-->
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}</LocURI>
</Target>
</Item>
</Delete>
```
### Remove a store app license
You can remove app licenses from a device per app based on the content ID.
Here's an example for removing an app license for a user.
```xml
<!-- Remove App License for a User-->
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id}</LocURI>
</Target>
</Item>
</Delete>
```
Here's an example for removing an app license for a provisioned package (device context).
```xml
<!-- Remove App License for a provisioned package (device) -->
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id}</LocURI>
</Target>
</Item>
</Delete>
```
### Alert for app uninstallation
Uninstallation of an app can take some time complete. So, the uninstall is run asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
For user-based uninstallation, use ./User in the LocURI, and for provisioning, use ./Device in the LocURI.
Here's an example. There's only one uninstall for hosted and store apps.
```xml
<Alert>
<Data>1226</Data>
<Item>
<Source>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/{PackageFamilyName}</LocURI>
</Source>
<Meta>
<Type xmlns="syncml:metinf">Reversed-Domain-Name:com.microsoft.mdm.EnterpriseAppUninstall.result</Type>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Alert>
```
## Update your apps
Apps installed on a device can be updated using the management server. Apps can be updated directly from the store or installed from a hosted location.
### Update apps directly from the store
To update an app from Microsoft Store, the device requires contact with the store services.
Here's an example of an update scan.
```xml
<!— Initiate a update scan for a user-->
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/UpdateScan</LocURI>
</Target>
</Item>
</Exec>
```
Here's an example of a status check.
```xml
<!— Get last error related to the update scan-->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/LastScanError</LocURI>
</Target>
</Item>
</Get>
```
### Update apps from a hosted location
Updating an existing app follows the same process as an initial installation. For more information, see [Deploy apps to a user from a hosted location](#deploy-apps-to-a-user-from-a-hosted-location).
### Update provisioned apps
A provisioned app automatically updates when an app update is sent to the user. You can also update a provisioned app using the same process as an initial provisioning. For more information about initial provisioning, see [Provision apps for all users of a device](#provision-apps-for-all-users-of-a-device).
### Prevent app from automatic updates
You can prevent specific apps from being automatically updated. This feature allows you to turn on auto-updates for apps, with specific apps excluded as defined by the IT admin.
Turning off updates only applies to updates from the Microsoft Store at the device level. This feature isn't available at a user level. You can still update an app if the offline packages are pushed from hosted install location.
Here's an example.
```xml
<!— Prevent app from being automatically updated-->
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/DoNotUpdate</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>1</Data></Item>
</Replace>
```
## More app management scenarios
The following subsections provide information about more settings configurations.
### Enable shared user app data
The Universal Windows app can share application data between the users of the device. The ability to share data can be set at a package family level or per device.
> [!NOTE]
> This is only applicable to multi-user devices.
The AllowSharedUserAppData policy in [Policy CSP](policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API.
If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there's any shared data, and /Remove-SharedAppxData to remove it).
The valid values are 0 (off, default value) and 1 (on).
Here's an example.
```xml
<!-- Get policy (Default)-->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Result/ApplicationManagement/AllowSharedUserAppData?list=StructData</LocURI>
</Target>
</Item>
</Get>
<!-- Update policy -->
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowSharedUserAppData</LocURI>
</Target>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
```

25
windows/client-management/mdm/esim-enterprise-management.md
View File

@ -1,25 +0,0 @@
---
title: eSIM Enterprise Management
description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows.
ms.prod: w10
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.author: vinpa
ms.topic: conceptual
---
# How Mobile Device Management Providers support eSIM Management on Windows
The eSIM Profile Management Solution places the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already-existing solution that customers are familiar with and use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management.
If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps:
- Onboard to Azure Active Directory
- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this capability to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include:
- [HPE Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html)
- [IDEMIA The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub)
- Assess solution type that you would like to provide your customers
- Batch/offline solution
- IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices.
- Operator doesn't have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to
- Real-time solution
- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time.
- Operator is notified of the status of each eSIM profile and has visibility on which devices are being used
**Note:** End users don't notice the solution type. The choice between the two is made between the MDM and the Mobile Operator.

628
windows/client-management/mdm/federated-authentication-device-enrollment.md
View File

@ -1,628 +0,0 @@
---
title: Federated authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using federated authentication policy.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 07/28/2017
---
# Federated authentication device enrollment
This section provides an example of the mobile device enrollment protocol using federated authentication policy. When the authentication policy is set to Federated, the web authentication broker is used by the enrollment client to get a security token. The enrollment client calls the web authentication broker API within the response message to start the process. The server should build the web authentication broker pages to fit the device screen and should be consistent with the existing enrollment UI. The opaque security token that is returned from the broker as an end page is used by the enrollment client as the device security secret during the client certificate request call.
The `<AuthenticationServiceURL>` element the discovery response message specifies web authentication broker page start URL.
For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
## In this topic
[Discovery service](#discovery-service)
[Enrollment policy web service](#enrollment-policy-web-service)
[Enrollment web service](#enrollment-web-service)
For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
## Discovery service
The discovery web service provides the configuration information necessary for a user to enroll a phone with a management service. The service is a restful web service over HTTPS (server authentication only).
> [!NOTE]
> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`.
The first request is a standard HTTP GET request.
The following example shows a request via HTTP GET to the discovery server given user@contoso.com as the email address.
```http
Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc
Content Type: unknown
Header Byte Count: 153
Body Byte Count: 0
```
```http
GET /EnrollmentServer/Discovery.svc HTTP/1.1
User-Agent: Windows Phone 8 Enrollment Client
Host: EnterpriseEnrollment.contoso.com
Pragma: no-cache
```
```http
Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc
Content Type: text/html
Header Byte Count: 248
Body Byte Count: 0
```
```http
HTTP/1.1 200 OK
Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 0
```
After the device gets a response from the server, the device sends a POST request to enterpriseenrollment.*domain\_name*/EnrollmentServer/Discovery.svc. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to enterpriseenrollment.*domain\_name* to the enrollment server.
The following logic is applied:
1. The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails.
2. If that fails, the device tries HTTP to see whether it's redirected:
- If the device isn't redirected, it prompts the user for the server address.
- If the device is redirected, it prompts the user to allow the redirect.
The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address
```http
https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc
```
The following example shows the discovery service request.
```xml
<?xml version="1.0"?>
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover
</a:Action>
<a:MessageID>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc
</a:To>
</s:Header>
<s:Body>
<Discover xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment/">
<request xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<EmailAddress>user@contoso.com</EmailAddress>
<OSEdition>3</OSEdition> <!--New -->
<RequestVersion>3.0</RequestVersion> <!-- Updated -->
<DeviceType>WindowsPhone</DeviceType> <!--Updated -->
<ApplicationVersion>10.0.0.0</ApplicationVersion>
<AuthPolicies>
<AuthPolicy>OnPremise</AuthPolicy>
<AuthPolicy>Federated</AuthPolicy>
</AuthPolicies>
</request>
</Discover>
</s:Body>
</s:Envelope>
```
The discovery response is in the XML format and includes the following fields:
- Enrollment service URL (EnrollmentServiceUrl) Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory.
- Authentication policy (AuthPolicy) Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
- In Windows, Federated is added as another supported value. This addition allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
> [!Note]
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call.
> [!Note]
> Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance:
> - Parse the OS version from the data sent up during the discovery request.
> - Append the OS version as a parameter in the AuthenticationServiceURL.
> - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication.
A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist.
> [!Note]
> The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented.
The following are the explicit requirements for the server.
- The `<DiscoveryResponse>``<AuthenticationServiceUrl>` element must support HTTPS.
- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail.
- WP doesnt support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device.
The enrollment client issues an HTTPS request as follows:
```http
AuthenticationServiceUrl?appru=<appid>&amp;login_hint=<User Principal Name>
```
- `<appid>` is of the form ms-app://string
- `<User Principal Name>` is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign-in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication.
After authentication is complete, the auth server should return an HTML form document with a POST method action of appid identified in the query string parameter.
> [!NOTE]
> To make an application compatible with strict Content Security Policy, it's usually necessary to make some changes to HTML templates and client-side code, add the policy header, and test that everything works properly once the policy is deployed.
```html
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 556
<!DOCTYPE>
<html>
<head>
<title>Working...</title>
<script>
function formSubmit() {
document.forms[0].submit();
}
window.onload=formSubmit;
</script>
</head>
<body>
<!-- appid below in post command must be same as appid in previous client https request. -->
<form method="post" action="ms-app://appid">
<p><input type="hidden" name="wresult" value="token value"/></p>
<input type="submit"/>
</form>
</body>
</html>
```
The server has to send a POST to a redirect URL of the form ms-app://string (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary` contained in the `<wsse:BinarySecurityToken>` EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form it's just HTML encoded. This string is opaque to the enrollment client; the client doesn't interpret the string.
The following example shows a response received from the discovery web service that requires authentication via WAB.
```xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse
</a:Action>
<ActivityId>
d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8
</ActivityId>
<a:RelatesTo>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:RelatesTo>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<DiscoverResponse
xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment">
<DiscoverResult>
<AuthPolicy>Federated</AuthPolicy>
<EnrollmentVersion>3.0</EnrollmentVersion>
<EnrollmentPolicyServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentPolicyServiceUrl>
<EnrollmentServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentServiceUrl>
<AuthenticationServiceUrl>
https://portal.manage.contoso.com/LoginRedirect.aspx
</AuthenticationServiceUrl>
</DiscoverResult>
</DiscoverResponse>
</s:Body>
</s:Envelope>
```
## Enrollment policy web service
Policy service is optional. By default, if no policies are specified, the minimum key length is 2k and the hash algorithm is SHA-1.
This web service implements the X.509 Certificate Enrollment Policy Protocol (MS-XCEP) specification that allows customizing certificate enrollment to match different security needs of enterprises at different times (cryptographic agility). The service processes the GetPolicies message from the client, authenticates the client, and returns matching enrollment policies in the GetPoliciesResponse message.
For Federated authentication policy, the security token credential is provided in a request message using the `<wsse:BinarySecurityToken>` element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows:
- wsse:Security: The enrollment client implements the `<wsse:Security>` element defined in \[WSS\] section 5. The `<wsse:Security>` element must be a child of the `<s:Header>` element.
- wsse:BinarySecurityToken: The enrollment client implements the `<wsse:BinarySecurityToken>` element defined in \[WSS\] section 6.3. The `<wsse:BinarySecurityToken>` element must be included as a child of the `<wsse:Security>` element in the SOAP header.
As was described in the discovery response section, the inclusion of the `<wsse:BinarySecurityToken>` element is opaque to the enrollment client, and the client doesn't interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the `<AuthenticationServiceUrl>` element of `<DiscoveryResponse>` and the enterprise server.
The `<wsse:BinarySecurityToken>` element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the `<wsse:BinarySecurityToken>` element.
- wsse:BinarySecurityToken/attributes/ValueType: The `<wsse:BinarySecurityToken>` ValueType attribute must be `http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken`.
- wsse:BinarySecurityToken/attributes/EncodingType: The `<wsse:BinarySecurityToken>` EncodingType attribute must be `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary`.
The following example is an enrollment policy request with a received security token as client credential.
```xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies
</a:Action>
<a:MessageID>urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To>
<wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken
ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken>
</wsse:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetPolicies
xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
<client>
<lastUpdate xsi:nil="true"/>
<preferredLanguage xsi:nil="true"/>
</client>
<requestFilter xsi:nil="true"/>
</GetPolicies>
</s:Body>
</s:Envelope>
```
After the user is authenticated, the web service retrieves the certificate template that the user should enroll with and creates enrollment policies based on the certificate template properties. A sample of the response can be found on MSDN.
MS-XCEP supports flexible enrollment policies using various Complex Types and Attributes. For Windows device, we'll first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms.
> [!NOTE]
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
The following snippet shows the policy web service response.
```xml
<s:Envelope
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse
</a:Action>
<a:RelatesTo>urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598</a:RelatesTo>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetPoliciesResponse
xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
<response>
<policyID />
<policyFriendlyName xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<nextUpdateHours xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<policiesNotChanged xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<policies>
<policy>
<policyOIDReference>0</policyOIDReference>
<cAs xsi:nil="true" />
<attributes>
<commonName>CEPUnitTest</commonName>
<policySchema>3</policySchema>
<certificateValidity>
<validityPeriodSeconds>1209600</validityPeriodSeconds>
<renewalPeriodSeconds>172800</renewalPeriodSeconds>
</certificateValidity>
<permission>
<enroll>true</enroll>
<autoEnroll>false</autoEnroll>
</permission>
<privateKeyAttributes>
<minimalKeyLength>2048</minimalKeyLength>
<keySpec xsi:nil="true" />
<keyUsageProperty xsi:nil="true" />
<permissions xsi:nil="true" />
<algorithmOIDReference xsi:nil="true" />
<cryptoProviders xsi:nil="true" />
</privateKeyAttributes>
<revision>
<majorRevision>101</majorRevision>
<minorRevision>0</minorRevision>
</revision>
<supersededPolicies xsi:nil="true" />
<privateKeyFlags xsi:nil="true" />
<subjectNameFlags xsi:nil="true" />
<enrollmentFlags xsi:nil="true" />
<generalFlags xsi:nil="true" />
<hashAlgorithmOIDReference>0</hashAlgorithmOIDReference>
<rARequirements xsi:nil="true" />
<keyArchivalAttributes xsi:nil="true" />
<extensions xsi:nil="true" />
</attributes>
</policy>
</policies>
</response>
<cAs xsi:nil="true" />
<oIDs>
<oID>
<value>1.3.14.3.2.29</value>
<group>1</group>
<oIDReferenceID>0</oIDReferenceID>
<defaultName>szOID_OIWSEC_sha1RSASign</defaultName>
</oID>
</oIDs>
</GetPoliciesResponse>
</s:Body>
</s:Envelope>
```
## Enrollment web service
This web service implements the MS-WSTEP protocol. It processes the RequestSecurityToken (RST) message from the client, authenticates the client, requests the certificate from the CA, and returns it in the RequestSecurityTokenResponse (RSTR) to the client. Besides the issued certificate, the response also contains configurations needed to provision the DM client.
The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on, match the certificate template), the client can enroll successfully.
The RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken`), because our enrollment token is more than an X.509 v3 certificate. For more information, see the Response section.
The RST may also specify many AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration.
> [!Note]
> The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
The following example shows the enrollment web service request for federated authentication.
```xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep
</a:Action>
<a:MessageID>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To>
<wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken
wsse:ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken"
wsse:EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">
B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken>
</wsse:Security>
</s:Header>
<s:Body>
<wst:RequestSecurityToken>
<wst:TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</wst:TokenType>
<wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
</wst:RequestType>
<wsse:BinarySecurityToken
ValueType="http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">
DER format PKCS#10 certificate request in Base64 encoding Insterted Here
</wsse:BinarySecurityToken>
<ac:AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<ac:ContextItem Name="OSEdition">
<ac:Value> 4</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="OSVersion">
<ac:Value>10.0.9999.0</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="DeviceName">
<ac:Value>MY_WINDOWS_DEVICE</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="MAC">
<ac:Value>FF:FF:FF:FF:FF:FF</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="MAC">
<ac:Value>CC:CC:CC:CC:CC:CC</ac:Value>
<ac:ContextItem Name="IMEI">
<ac:Value>49015420323756</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="IMEI">
<ac:Value>30215420323756</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="EnrollmentType">
<ac:Value>Full</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="DeviceType">
<ac:Value>CIMClient_Windows</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="ApplicationVersion">
<ac:Value>10.0.9999.0</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="DeviceID">
<ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="TargetedUserLoggedIn">
<ac:Value>True</ac:Value>
</ac:ContextItem>
</ac:AdditionalContext>
</wst:RequestSecurityToken>
</s:Body>
</s:Envelope>
```
After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR).
> [!Note]
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (`http://schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc`), because the token is more than an X.509 v3 certificate.
The provisioning XML contains:
- The requested certificates (required)
- The DM client configuration (required)
The client will install the client certificate, the enterprise root certificate, and intermediate CA certificate if there's one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DM client calls back to the server.
Enrollment provisioning XML should contain a maximum of one root certificate and one intermediate CA certificate that is needed to chain up the MDM client certificate. More root and intermediate CA certificates could be provisioned during an OMA DM session.
When root and intermediate CA certificates are being provisioned, the supported CSP node path is: CertificateStore/Root/System for root certificate provisioning, CertificateStore/My/User for intermediate CA certificate provisioning.
Here's a sample RSTR message and a sample of OMA client provisioning XML within RSTR. For more information about the configuration service providers (CSPs) used in provisioning XML, see the Enterprise settings, policies and app management section.
The following example shows the enrollment web service response.
```xml
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1" >
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep
</a:Action>
<a:RelatesTo>urn:uuid:81a5419a-496b-474f-a627-5cdd33eed8ab</a:RelatesTo>
<o:Security s:mustUnderstand="1" xmlns:o=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2012-08-02T00:32:59.420Z</u:Created>
<u:Expires>2012-08-02T00:37:59.420Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<RequestSecurityTokenResponse>
<TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</TokenType>
<DispositionMessage xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"/>
<RequestedSecurityToken>
<BinarySecurityToken
ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken
</BinarySecurityToken>
</RequestedSecurityToken>
<RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0</RequestID>
</RequestSecurityTokenResponse>
</RequestSecurityTokenResponseCollection>
</s:Body>
</s:Envelope>
```
The following code shows sample provisioning XML (presented in the preceding package as a security token):
```xml
<wap-provisioningdoc version="1.1">
<characteristic type="CertificateStore">
<characteristic type="Root">
<characteristic type="System">
<characteristic type="Encoded Root Cert Hash Inserted Here">
<parm name="EncodedCertificate" value="B64 encoded cert insert here" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="CertificateStore">
<characteristic type="My" >
<characteristic type="User">
<characteristic type="Encoded Root Cert Hash Inserted Here">
<parm name="EncodedCertificate" value="B64EncodedCertInsertedHere" />
</characteristic>
<characteristic type="PrivateKeyContainer"/>
<!-- This tag must be present for XML syntax correctness. -->
</characteristic>
<characteristic type="WSTEP">
<characteristic type="Renew">
<!—If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. -->
<parm name="ROBOSupport" value="true" datatype="boolean"/>
<parm name="RenewPeriod" value="60" datatype="integer"/>
<parm name="RetryInterval" value="4" datatype="integer"/>
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="APPLICATION">
<parm name="APPID" value="w7"/>
<parm name="PROVIDER-ID" value="TestMDMServer"/>
<parm name="NAME" value="Microsoft"/>
<parm name="ADDR" value="https://DM.contoso.com:443/omadm/Windows.ashx"/>
<parm name="CONNRETRYFREQ" value="6" />
<parm name="INITIALBACKOFFTIME" value="30000" />
<parm name="MAXBACKOFFTIME" value="120000" />
<parm name="BACKCOMPATRETRYDISABLED" />
<parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" />
<parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=DC%3dcom%2cDC%3dmicrosoft%2cCN%3dUsers%2cCN%3dAdministrator&amp;amp;Stores=My%5CUser"/>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="CLIENT"/>
<parm name="AAUTHTYPE" value="DIGEST"/>
<parm name="AAUTHSECRET" value="password1"/>
<parm name="AAUTHDATA" value="B64encodedBinaryNonceInsertedHere"/>
</characteristic>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="APPSRV"/>
<parm name="AAUTHTYPE" value="BASIC"/>
<parm name="AAUTHNAME" value="testclient"/>
<parm name="AAUTHSECRET" value="password2"/>
</characteristic>
</characteristic>
<characteristic type="DMClient"> <!-- In Windows 10, an enrollment server should use DMClient CSP XML to configure DM polling schedules. -->
<characteristic type="Provider">
<!-- ProviderID in DMClient CSP must match to PROVIDER-ID in w7 APPLICATION characteristics -->
<characteristic type="TestMDMServer">
<parm name="UPN" value="UserPrincipalName@contoso.com" datatype="string" />
<parm name="EntDeviceName" value="Administrator_Windows" datatype="string" />
<characteristic type="Poll">
<parm name="NumberOfFirstRetries" value="8" datatype="integer" />
<parm name="IntervalForFirstSetOfRetries" value="15" datatype="integer" />
<parm name="NumberOfSecondRetries" value="5" datatype="integer" />
<parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
<parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedules retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
<parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" />
<parm name="PollOnLogin" value="true" datatype="boolean" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<!-- For Windows 10, we removed EnterpriseAppManagement from the enrollment protocol. -->
</wap-provisioningdoc>
```
> [!NOTE]
>
> - `<Parm name>` and `<characteristic type=>` elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase.
>
> - In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML.
>
> - Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document.
>
> - The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique.
>
> - Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate.
>
> - CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it.

64
windows/client-management/mdm/get-inventory.md
View File

@ -1,64 +0,0 @@
---
title: Get Inventory
description: The Get Inventory operation retrieves information from the Microsoft Store for Business to determine if new or updated applications are available.
MS-HAID:
- 'p\_phdevicemgmt.get\_seatblock'
- 'p\_phDeviceMgmt.get\_inventory'
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Get Inventory
The **Get Inventory** operation retrieves information from the Microsoft Store for Business to determine if new or updated applications are available.
## Request
**GET:**
```http
https://bspmts.mp.microsoft.com/V1/Inventory?continuationToken={ContinuationToken}&amp;modifiedSince={ModifiedSince}&amp;licenseTypes={LicenseType}&amp;maxResults={MaxResults}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Default value|Description|
|--- |--- |--- |--- |
|continuationToken|string|Null||
|modifiedSince|datetime|Null|Optional. Used to determine changes since a specific date.|
|licenseTypes|collection of [LicenseType](data-structures-windows-store-for-business.md#licensetype)|{online,offline}|Optional. A collection of license types|
|maxResults|integer-32|25|Optional. Specifies the maximum number of applications returned in a single query.|
Here are some examples.
|Query type|Example query|
|--- |--- |
|Online and offline|[https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=online&licenseTypes=offline&maxResults=25](https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=online&licenseTypes=offline&maxResults=25)|
|Online only|[https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=online&maxResults=25](https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=online&maxResults=25)|
|Offline only|[https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=offline&maxResults=25](https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=offline&maxResults=25)|
|Both license types and a time filter|[https://bspmts.mp.microsoft.com/V1/Inventory?modifiedSince=2015-07-13T14%3a02%3a25.6863382-07%3a00&licenseTypes=online&licenseTypes=offline&maxResults=25](https://bspmts.mp.microsoft.com/V1/Inventory?modifiedSince=2015-07-13T14%3a02%3a25.6863382-07%3a00&licenseTypes=online&licenseTypes=offline&maxResults=25)|
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name<br><br>Invalid modified date, license, or continuationToken<br><br>Details: String|
## Response
### Response body
The response contains [InventoryResultSet](data-structures-windows-store-for-business.md#inventoryresultset).

52
windows/client-management/mdm/get-localized-product-details.md
View File

@ -1,52 +0,0 @@
---
title: Get localized product details
description: The Get localized product details operation retrieves the localization information of a product from the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 12/07/2020
---
# Get localized product details
The **Get localized product details** operation retrieves the localization information of a product from the Microsoft Store for Business.
## Request
**GET:**
```http
https://bspmts.mp.microsoft.com/V1/Products/{ProductId}/{SkuId}/LocalizedDetails/{language}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|language|string|Required. Language in ISO format, such as en-us, en-ca.|
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name<br>Reason: Missing parameter or invalid parameter<br>Details: String|
|404|Not found||Item type: productId, skuId, language|
## Response
The response contains [LocalizedProductDetail](data-structures-windows-store-for-business.md#localizedproductdetail).
 

54
windows/client-management/mdm/get-offline-license.md
View File

@ -1,54 +0,0 @@
---
title: Get offline license
description: The Get offline license operation retrieves the offline license information of a product from the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Get offline license
The **Get offline license** operation retrieves the offline license information of a product from the Microsoft Store for Business.
## Request
**POST:**
```http
https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/OfflineLicense/{contentId}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Identifies a specific product that has been acquired.|
|skuId|string|Required. The SKU identifier.|
|contentId|string|Required. Identifies a specific application.|
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name<br>Reason: Missing parameter or invalid parameter<br>Details: String|
|404|Not found|||
|409|Conflict||Reason: Not owned, Not offline|
## Response
### Response body
The response contains [OfflineLicense](data-structures-windows-store-for-business.md#offlinelicense).
 

52
windows/client-management/mdm/get-product-details.md
View File

@ -1,52 +0,0 @@
---
title: Get product details
description: The Get product details operation retrieves the product information from the Microsoft Store for Business for a specific application.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Get product details
The **Get product details** operation retrieves the product information from the Microsoft Store for Business for a specific application.
## Request
**GET:**
```http
https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name<br>Reason: Missing parameter or invalid parameter<br>Details: String|
|404|Not found|||
## Response
### Response body
The response contains [ProductDetails](data-structures-windows-store-for-business.md#productdetails).
 

54
windows/client-management/mdm/get-product-package.md
View File

@ -1,54 +0,0 @@
---
title: Get product package
description: The Get product package operation retrieves the information about a specific application in the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Get product package
The **Get product package** operation retrieves the information about a specific application in the Microsoft Store for Business.
## Request
**GET:**
```http
https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/Packages/{packageId}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|packageId|string|Required.|
|Error code|Description|Retry|Data field|Details|
|--- |--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name <br/> <br/>Reason: Invalid parameter <br/> <br/>Details: String|Can be productId, skuId, or packageId|
|404|Not found|||Item type: Product/SKU|
|409|Conflict||Reason: Not owned||
## Response
### Response body
The response body contains [ProductPackageDetails](data-structures-windows-store-for-business.md#productpackagedetails).
 

53
windows/client-management/mdm/get-product-packages.md
View File

@ -1,53 +0,0 @@
---
title: Get product packages
description: The Get product packages operation retrieves the information about applications in the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Get product packages
The **Get product packages** operation retrieves the information about applications in the Microsoft Store for Business.
## Request
**GET:**
```http
https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/Packages
```
 
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name <br/> <br/>Reason: Missing parameter or invalid parameter <br/> <br/>Details: String|
|404|Not found|||
|409|Conflict||Reason: Not owned|
## Response
### Response body
The response body contains [ProductPackageSet](data-structures-windows-store-for-business.md#productpackageset).
 

47
windows/client-management/mdm/get-seat.md
View File

@ -1,47 +0,0 @@
---
title: Get seat
description: The Get seat operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Get seat
The **Get seat** operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business.
## Request
**GET:**
```http
https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|username|string|Requires UserPrincipalName (UPN). User name of the target user account.|
 
## Response
### Response body
The response body contains [SeatDetails](data-structures-windows-store-for-business.md#seatdetails).
|Error code|Description|Retry|Data field|Details|
|--- |--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name <br/><br/>Reason: Missing parameter or invalid parameter<br/><br/>Details: String|Invalid can include productId, skuId or username|
|404|Not found|||ItemType: Inventory, User, Seat<br/><br/>Values: ProductId/SkuId, UserName, ProductId/SkuId/Username|
|409|Conflict||Reason: Not online||

55
windows/client-management/mdm/get-seats-assigned-to-a-user.md
View File

@ -1,55 +0,0 @@
---
title: Get seats assigned to a user
description: The Get seats assigned to a user operation retrieves information about assigned seats in the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Get seats assigned to a user
The **Get seats assigned to a user** operation retrieves information about assigned seats in the Microsoft Store for Business.
## Request
**GET:**
```http
https:<span></span>//bspmts.mp.microsoft.com/V1/Users/{username}/Seats?continuationToken={ContinuationToken}&amp;maxResults={MaxResults}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|useName|string|Requires UserPrincipalName (UPN). User name of the target user account.|
|continuationToken|string|Optional.|
|maxResults|inteter-32|Optional. Default = 25, Maximum = 100|
 
## Response
### Response body
The response body contains [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset).
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name<br><br>Reason: Invalid parameter<br><br>Details: String|
|404|Not found||Item type: User<br><br>Values: UserName|
 
 

50
windows/client-management/mdm/get-seats.md
View File

@ -1,50 +0,0 @@
---
title: Get seats
description: The Get seats operation retrieves the information about active seats in the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Get seats
The **Get seats** operation retrieves the information about active seats in the Microsoft Store for Business.
## Request
**GET:**
```http
https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&amp;maxResults={MaxResults}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|continuationToken|string|Optional.|
|maxResults|int32|Optional. Default = 25, Maximum = 100|
## Response
### Response body
The response body contains [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset).
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name <br> Reason: Missing parameter or invalid parameter <br> Details: String|
|404|Not found|||
|409|Conflict||Reason: Not online|

BIN
windows/client-management/mdm/images/admx-app-v-enablepublishingserver2settings.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/client-management/mdm/images/admx-appv-enableapp-vclient.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/client-management/mdm/images/admx-appv-policy-description.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 85 KiB

BIN
windows/client-management/mdm/images/admx-appv-publishingserver2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 62 KiB

BIN
windows/client-management/mdm/images/admx-appv.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/client-management/mdm/images/admx-gpedit-search.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/client-management/mdm/images/auto-enrollment-activation-verification-less-entries.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 34 KiB

BIN
windows/client-management/mdm/images/auto-enrollment-activation-verification.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/client-management/mdm/images/auto-enrollment-azureadprt-verification.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/client-management/mdm/images/auto-enrollment-device-status-result.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/client-management/mdm/images/auto-enrollment-enrollment-of-windows-devices.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/client-management/mdm/images/auto-enrollment-event-id-102.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 31 KiB

BIN
windows/client-management/mdm/images/auto-enrollment-event-id-107.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/client-management/mdm/images/auto-enrollment-intune-license-verification.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/client-management/mdm/images/auto-enrollment-mdm-discovery-url.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/client-management/mdm/images/auto-enrollment-microsoft-intune-setting.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 129 KiB

BIN
windows/client-management/mdm/images/auto-enrollment-outdated-enrollment-entries.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 91 KiB

BIN
windows/client-management/mdm/images/auto-enrollment-task-scheduler.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 112 KiB

BIN
windows/client-management/mdm/images/auto-enrollment-troubleshooting-event-id-75.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/client-management/mdm/images/auto-enrollment-troubleshooting-event-id-76.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 29 KiB

BIN
windows/client-management/mdm/images/autoenrollment-2-factor-auth.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 183 KiB

BIN
windows/client-management/mdm/images/autoenrollment-gpedit.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/client-management/mdm/images/autoenrollment-mdm-policies.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 102 KiB

BIN
windows/client-management/mdm/images/autoenrollment-policy.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 220 KiB

BIN
windows/client-management/mdm/images/autoenrollment-scheduled-task.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/client-management/mdm/images/autoenrollment-settings-work-school.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 72 KiB

BIN
windows/client-management/mdm/images/autoenrollment-task-schedulerapp.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/client-management/mdm/images/azure-ad-add-tenant1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/client-management/mdm/images/azure-ad-add-tenant10.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 170 KiB

BIN
windows/client-management/mdm/images/azure-ad-add-tenant11.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 116 KiB

BIN
windows/client-management/mdm/images/azure-ad-add-tenant12.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 36 KiB

BIN
windows/client-management/mdm/images/azure-ad-add-tenant13.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 35 KiB

BIN
windows/client-management/mdm/images/azure-ad-add-tenant14.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/client-management/mdm/images/azure-ad-add-tenant15.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/client-management/mdm/images/azure-ad-add-tenant2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/client-management/mdm/images/azure-ad-add-tenant3-b.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 52 KiB

BIN
windows/client-management/mdm/images/azure-ad-add-tenant3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/client-management/mdm/images/azure-ad-add-tenant4.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 179 KiB

BIN
windows/client-management/mdm/images/azure-ad-add-tenant5.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/client-management/mdm/images/azure-ad-add-tenant6.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 7.7 KiB

BIN
windows/client-management/mdm/images/azure-ad-add-tenant7.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 37 KiB

BIN
windows/client-management/mdm/images/azure-ad-add-tenant8.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/client-management/mdm/images/azure-ad-add-tenant9.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/client-management/mdm/images/azure-ad-app-gallery.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 95 KiB

BIN
windows/client-management/mdm/images/azure-ad-device-list.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 83 KiB

BIN
windows/client-management/mdm/images/azure-ad-enrollment-flow.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 36 KiB

BIN
windows/client-management/mdm/images/azure-ad-unenrollment.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/client-management/mdm/images/azure-intune-configure-scope.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/client-management/mdm/images/azure-mdm-intune.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/client-management/mdm/images/bulk-enrollment.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 59 KiB

BIN
windows/client-management/mdm/images/bulk-enrollment2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 36 KiB

BIN
windows/client-management/mdm/images/bulk-enrollment3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/client-management/mdm/images/bulk-enrollment4.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/client-management/mdm/images/bulk-enrollment5.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/client-management/mdm/images/bulk-enrollment6.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 7.6 KiB

BIN
windows/client-management/mdm/images/bulk-enrollment7.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/client-management/mdm/images/bulk-enrollment8.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 65 KiB

BIN
windows/client-management/mdm/images/businessstoreportalservices2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/client-management/mdm/images/businessstoreportalservices3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/client-management/mdm/images/businessstoreportalservicesflow.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/client-management/mdm/images/certfiltering1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/client-management/mdm/images/certfiltering2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/client-management/mdm/images/certfiltering3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/client-management/mdm/images/configlock-mem-createprofile.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 91 KiB

BIN
windows/client-management/mdm/images/configlock-mem-dev.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 53 KiB

BIN
windows/client-management/mdm/images/configlock-mem-devstatus.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/client-management/mdm/images/configlock-mem-editrow.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/client-management/mdm/images/configlock-mem-firmwareprotect.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 20 KiB

Some files were not shown because too many files have changed in this diff Show More