Merge branch 'main' into nimishasatapathy-5767392-windowsautopilotcsp

2025-06-18 20:03:40 +00:00 · 2022-02-23 15:59:45 -07:00
parent ff84bc678a 4c5ffff985
commit fd6358eb9b
142 changed files with 1875 additions and 2466 deletions
--- a/windows/client-management/mdm/Language-pack-management-csp.md
+++ b/windows/client-management/mdm/Language-pack-management-csp.md
@ -13,41 +13,71 @@ ms.date: 06/22/2021

 # Language Pack Management CSP

+The Language Pack Management CSP allows a direct way to provision languages remotely in Windows. MDMs like Intune can use management commands remotely to devices to configure language-related settings for System and new users.

-The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of "optional FODs" (Handwriting recognition, Text-to-speech, and so on) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings.
+1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples:

-1. Enumerate installed languages with GET command on the "InstalledLanguages" node
- 
    **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages**
    **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers**
-    **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** 
+    **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/LanguageFeatures**
+    **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers**
+    **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/LanguageFeatures**

-   The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either "language pack (feature)" or [LXPs](https://www.microsoft.com/store/collections/localexperiencepacks?cat0=devices&rtc=1). 
-    - Indicates the language pack installed is a System Language Pack (non-LXP)
-    - Indicates that the LXP is installed.
-    - Indicates that both are installed.
+   The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is an integer representation of either [language pack](/windows-hardware/manufacture/desktop/available-language-packs-for-windows?view=windows-11&preserve-view=true) or [LXPs](https://www.microsoft.com/store/collections/localexperiencepacks?cat0=devices&rtc=1).

-2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example, 
+    - **1**- Indicates that only the Language Pack cab is installed.
+    - **2**- Indicates that only the LXP is installed.
+    - **3**- Indicates that both are installed.

-    **ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/**
-    **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation**
+    The **LanguageFeatures** node is a bitmap representation of what [Language Features](/windows-hardware/manufacture/desktop/features-on-demand-language-fod?view=windows-11&preserve-view=true) are installed for a language on a device:

-    The installation is an asynchronous operation. You can query the **Status** node by using the following commands: 
+    - Basic Typing = 0x1
+    - Fonts = 0x2
+    - Handwriting = 0x4
+    - Speech = 0x8
+    - TextToSpeech = 0x10
+    - OCR = 0x20
+    - LocaleData = 0x40
+    - SupplementFonts = 0x80
+
+2. Install language pack and features with the EXECUTE command on the **StartInstallation** node of the language. The language installation will try to install the best matched language packs and features for the provided language.
+
+    > [!NOTE]
+    > If not previously set, installation will set the policy to block cleanup of unused language packs and features on the device to prevent unexpected deletion.
+
+    - Admins can optionally copy the language to the device’s international settings immediately after installation by using the REPLACE command on the "CopyToDeviceInternationalSettings" node of the language. false (default)- will take no action; true- will set the following international settings to reflect the newly installed language:
+        - System Preferred UI Language
+        - System Locale
+        - Default settings for new users
+             - Input Method (keyboard)
+             - Locale
+             - Speech Recognizer
+             - User Preferred Language List
+    - Admins can optionally configure whether they want to install all available language features during installation using the REPLACE command on the "EnableLanguageFeatureInstallations" node of the language. false- will install only required features; true (default)- will install all available features.
+
+    Here are the sample commands to install French language with required features and copy to the device's international settings:
+
+    1. **ADD ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/**
+    2. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/CopyToDeviceInternationalSettings (true)**
+    3. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/EnableLanguageFeatureInstallations (false)**
+    4. **EXECUTE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation**
+
+    The installation is an asynchronous operation. You can query the **Status** or **ErrorCode** nodes by using the following commands:

    **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status**
    **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode**

-    Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed.
+    Status: 0 – not started; 1 – in progress; 2 – succeeded; 3 – failed; 4 - partial success (A partial success indicates not all the provisioning operations succeeded, for example, there was an error installing the language pack or features).

-    > [!NOTE]
-    > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail.  
+    ErrorCode: An HRESULT that could help diagnosis if the installation failed or partially failed.

-3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed.
+3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. Below is a sample command to delete the zh-CN language.

+   **DELETE./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN**

-   **DELETE./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN(Delete command)**
+   > [!NOTE]
+   > The deletion will ignore the policy of block cleanup of unused language packs.

 4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node

-
   **./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages**
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@ -7,7 +7,7 @@ ms.prod: w10
 ms.technology: windows
 author: dansimp
 ms.localizationpriority: medium
-ms.date: 04/16/2020
+ms.date: 02/04/2022
 ms.reviewer: 
 manager: dansimp
 ms.collection: highpri
@ -21,7 +21,7 @@ The BitLocker configuration service provider (CSP) is used by the enterprise to
 > 
 > You must send all the settings together in a single SyncML to be effective.

-A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns
+A `Get` operation on any of the settings, except for `RequireDeviceEncryption` and `RequireStorageCardEncryption`, returns
 the setting configured by the admin.

 For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
@ -120,7 +120,7 @@ If you want to disable this policy, use the following SyncML:
 ```

 > [!NOTE]
-> Currently only used space encryption is supported when using this CSP. 
+> Currently full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on `SystemDrivesEncryptionType` and `FixedDrivesEncryptionType` configured on the device.

 <!--/Policy-->
 <!--Policy-->
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@ -10,7 +10,7 @@ ms.prod: w10
 ms.technology: windows
 author: dansimp
 ms.localizationpriority: medium
-ms.date: 10/04/2021
+ms.date: 02/22/2022
 ---

 # Defender CSP
@ -623,9 +623,9 @@ Valid values are:
 <a href="" id="configuration-hideexclusionsfromlocaladmins"></a>**Configuration/HideExclusionsFromLocalAdmins**<br>
 This policy setting controls whether or not exclusions are visible to Local Admins.  For end users (that are not Local Admins) exclusions are not visible, whether or not this setting is enabled.

-If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App and via PowerShell.
+If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell.

-If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app or via PowerShell.
+If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app, in the registry, or via PowerShell.

 > [!NOTE]
 > Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.
--- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md
@ -1068,7 +1068,7 @@ If this policy setting is disabled or not configured, then the consent level def

 <!--ADMXBacked-->
 ADMX Info:  
-   GP English name: *Configure Default consent*
+-   GP Friendly name: *Configure Default consent*
 -   GP name: *WerDefaultConsent_1*
 -   GP path: *Windows Components\Windows Error Reporting\Consent*
 -   GP ADMX file name: *ErrorReporting.admx*
@ -1166,7 +1166,7 @@ If you disable or do not configure this policy setting, the Turn off Windows Err

 <!--ADMXBacked-->
 ADMX Info:  
-   GP English name: *Disable Windows Error Reporting*
+-   GP Friendly name: *Disable Windows Error Reporting*
 -   GP name: *WerDisable_1*
 -   GP path: *Windows Components\Windows Error Reporting*
 -   GP ADMX file name: *ErrorReporting.admx*
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@ -834,6 +834,9 @@ Value type is string.
 <!--/Description-->
 <!--SupportedValues-->

+> [!NOTE]
+> The check for recurrence is done in a case sensitive manner. For instance the value needs to be “Daily” instead of “daily”. The wrong case will cause SmartRetry to fail to execute.
+
 <!--/SupportedValues-->
 <!--Example-->
 Sample SyncML:
@ -853,7 +856,7 @@ Sample SyncML:
        </Meta> 
        <Data> 
          <ForceRestart StartDateTime="2018-03-28T22:21:52Z"  
-                        Recurrence="[none/daily/weekly/monthly]"  
+                        Recurrence="[None/Daily/Weekly/Monthly]"  
                        DayOfWeek=”1”  
                        DayOfMonth=”12”  
                        RunIfTaskIsMissed=”1”/> 
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: dansimp
-ms.date: 10/12/2021
+ms.date: 1/31/2022
 ms.reviewer: 
 manager: dansimp
 ---
@ -99,6 +99,7 @@ The OMA-URI of new policy `./Device/Vendor/MSFT/Policy/Config/MixedReality/AutoL

 <!--SupportedValues-->
 String value
+
 - User with the same email address will have autologon enabled.

 On a device where this policy is configured, the user specified in the policy will need to log-on at least once. Subsequent reboots of the device after the first logon will have the specified user automatically logged on. Only a single autologon user is supported. Once enabled, the automatically logged on user will not be able to log out manually. To log-on as a different user, the policy must first be disabled.
@ -129,6 +130,8 @@ This policy setting controls for how many days Azure AD group membership cache i
 <!--/ADMXBacked-->

 <!--SupportedValues-->
+- Integer value
+
 Supported values are 0-60. The default value is 0 (day) and maximum value is 60 (days).

 <!--/SupportedValues-->
@ -167,6 +170,8 @@ This policy setting controls if pressing the brightness button changes the brigh
 <!--/ADMXBacked-->

 <!--SupportedValues-->
+- Boolean value
+
 The following list shows the supported values:

 - 0 - False (Default)
@ -208,7 +213,7 @@ This policy controls the behavior of moving platform feature on Hololens 2, that
 <!--/ADMXBacked-->

 <!--SupportedValues-->
-Integer
+- Integer value

 - 0 (Default) - Last set user's preference. Initial state is OFF and after that user's preference is persisted across reboots and is used to initialize the system.
 - 1 Force off - Moving platform is disabled and cannot be changed by user.
@ -250,6 +255,8 @@ This policy setting controls when and if diagnostic logs can be collected using
 <!--/ADMXBacked-->

 <!--SupportedValues-->
+- Integer value
+
 The following list shows the supported values:

 - 0 - Disabled
@ -292,6 +299,8 @@ This policy configures behavior of HUP to determine, which algorithm to use for
 <!--/ADMXBacked-->

 <!--SupportedValues-->
+- Boolean value
+
 The following list shows the supported values:

 - 0 - Feature – Default feature based / SLAM-based tracker (Default)
@ -333,6 +342,8 @@ This policy setting controls whether microphone on HoloLens 2 is disabled or not
 <!--/ADMXBacked-->

 <!--SupportedValues-->
+- Boolean value
+
 The following list shows the supported values:

 - 0 - False (Default)
@ -374,6 +385,8 @@ This policy setting controls if pressing the volume button changes the volume or
 <!--/ADMXBacked-->

 <!--SupportedValues-->
+- Boolean value
+
 The following list shows the supported values:

 - 0 - False (Default)
@ -415,6 +428,8 @@ This policy controls whether a visitor user will be automatically logged in. Vis
 <!--/ADMXBacked-->

 <!--SupportedValues-->
+- Boolean value
+
 The following list shows the supported values:

 - 0 Disabled (Default)
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@ -31,7 +31,7 @@ SurfaceHub
 --------Email
 --------CalendarSyncEnabled
 --------ErrorContext
--------PasswordRotationPeriod
+--------PasswordRotationEnabled
 ----MaintenanceHoursSimple
 --------Hours
 ------------StartTime
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@ -67,7 +67,7 @@ The following list shows the supported values:

 <!--ADMXMapped-->
 ADMX Info:  
- GP English name: *Configure Microsoft Defender Application Guard clipboard settings*
+- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings*
 - GP name: *AppHVSIClipboardFileType*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
@ -91,7 +91,7 @@ The following list shows the supported values:

 <!--ADMXMapped-->
 ADMX Info:  
- GP English name: *Configure Microsoft Defender Application Guard clipboard settings*
+- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings*
 - GP name: *AppHVSIClipboardSettings*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
@ -124,7 +124,7 @@ The following list shows the supported values:

 <!--ADMXMapped-->
 ADMX Info:  
- GP English name: *Configure Microsoft Defender Application Guard print settings*
+- GP Friendly name: *Configure Microsoft Defender Application Guard print settings*
 - GP name: *AppHVSIPrintingSettings*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
@ -146,7 +146,7 @@ The following list shows the supported values:

 <!--ADMXMapped-->
 ADMX Info:  
- GP English name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer*
+- GP Friendly name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer*
 - GP name: *BlockNonEnterpriseContent*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
@ -165,7 +165,7 @@ The following list shows the supported values:

 <!--ADMXMapped-->
 ADMX Info:  
- GP English name: *Allow data persistence for Microsoft Defender Application Guard*
+- GP Friendly name: *Allow data persistence for Microsoft Defender Application Guard*
 - GP name: *AllowPersistence*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
@ -189,7 +189,7 @@ The following list shows the supported values:

 <!--ADMXMapped-->
 ADMX Info:  
- GP English name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard*
+- GP Friendly name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard*
 - GP name: *AllowVirtualGPU*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
@ -208,7 +208,7 @@ The following list shows the supported values:

 <!--ADMXMapped-->
 ADMX Info:  
- GP English name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard*
+- GP Friendly name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard*
 - GP name: *SaveFilesToHost*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
@ -230,7 +230,7 @@ If you disable or don’t configure this setting, certificates are not shared wi

 <!--ADMXMapped-->
 ADMX Info:  
- GP English name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device*
+- GP Friendly name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device*
 - GP name: *CertificateThumbprints*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
@ -259,7 +259,7 @@ The following list shows the supported values:

 <!--ADMXMapped-->
 ADMX Info:  
- GP English name: *Allow camera and microphone access in Microsoft Defender Application Guard*
+- GP Friendly name: *Allow camera and microphone access in Microsoft Defender Application Guard*
 - GP name: *AllowCameraMicrophoneRedirection*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
@ -317,7 +317,7 @@ The following list shows the supported values:

 <!--ADMXMapped-->
 ADMX Info:  
- GP English name: *Allow auditing events in Microsoft Defender Application Guard*
+- GP Friendly name: *Allow auditing events in Microsoft Defender Application Guard*
 - GP name: *AuditApplicationGuard*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*