What's new in MDM enrollment and management

This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.

For details about Microsoft mobile device management protocols for Windows 10 see [MS-MDM]: Mobile Device Management Protocol and [MS-MDE2]: Mobile Device Enrollment Protocol Version 2.

In this section

What's new in Windows 10, version 1511

Item Description

New configuration service providers added in Windows 10, version 1511

New and updated policies in Policy CSP

The following policies have been added to the Policy CSP:

  • Accounts/DomainNamesForEmailSync
  • ApplicationManagement/AllowWindowsBridgeForAndroidAppsExecution
  • Bluetooth/ServicesAllowedList
  • DataProtection/AllowAzureRMSForEDP
  • DataProtection/RevokeOnUnenroll
  • DeviceLock/DevicePasswordExpiration
  • DeviceLock/DevicePasswordHistory
  • TextInput/AllowInputPanel
  • Update/PauseDeferrals
  • Update/RequireDeferUpdate
  • Update/RequireUpdateApproval

The following policies have been updated in the Policy CSP:

  • System/AllowLocation
  • Update/RequireDeferUpgrade

The following policies have been deprecated in the Policy CSP:

  • TextInput/AllowKoreanExtendedHanja
  • WiFi/AllowWiFiHotSpotReporting

Management tool for the Micosoft Store for Business

New topics. The Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. It enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates.

Custom header for generic alert

The MDM-GenericAlert is a new custom header that hosts one or more alert information provided in the http messages sent by the device to the server during an OMA DM session. The generic alert is sent if the session is triggered by the device due to one or more critical or fatal alerts. Here is alert format:

MDM-GenericAlert: <AlertType1><AlertType2>

If present, the MDM-GenericAlert is presented in every the outgoing MDM message in the same OMA DM session. For more information about generic alerts, see section 8.7 in the OMA Device Management Protocol, Approved Version 1.2.1 in this OMA website.

Alert message for slow client response

When the MDM server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending.

To work around the timeout, you can use EnableOmaDmKeepAliveMessage setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information. For details, see EnableOmaDmKeepAliveMessage node in the DMClient CSP.

New node in DMClient CSP

Added a new node EnableOmaDmKeepAliveMessage to the DMClient CSP and updated the ManagementServerAddress to indicate that it can contain a list of URLs.

New nodes in EnterpriseModernAppManagement CSP

Added the following nodes to the EnterpriseModernAppManagement CSP:

  • AppManagement/GetInventoryQuery
  • AppManagement/GetInventoryResults
  • .../PackageFamilyName/AppSettingPolicy/SettingValue
  • AppLicenses/StoreLicenses/LicenseID/LicenseCategory
  • AppLicenses/StoreLicenses/LicenseID/LicenseUsage
  • AppLicenses/StoreLicenses/LicenseID/RequesterID
  • AppLicenses/StoreLicenses/LicenseID/GetLicenseFromStore

New nodes in EnterpriseExt CSP

Added the following nodes to the EnterpriseExt CSP:

  • DeviceCustomData (CustomID, CustomeString)
  • Brightness (Default, MaxAuto)
  • LedAlertNotification (State, Intensity, Period, DutyCycle, Cyclecount)

New node in EnterpriseExtFileSystem CSP

Added OemProfile node to EnterpriseExtFileSystem CSP.

New nodes in PassportForWork CSP

Added the following nodes to PassportForWork CSP:

  • TenantId/Policies/PINComplexity/History
  • TenantId/Policies/PINComplexity/Expiration
  • TenantId/Policies/Remote/UseRemotePassport (only for ./Device/Vendor/MSFT)
  • Biometrics/UseBiometrics (only for ./Device/Vendor/MSFT)
  • Biometrics/FacialFeaturesUseEnhancedAntiSpoofing (only for ./Device/Vendor/MSFT)

Updated EnterpriseAssignedAccess CSP

Here are the changes to the EnterpriseAssignedAccess CSP:

  • In AssignedAccessXML node, added new page settings and quick action settings.
  • In AssignedAccessXML node, added an example about how to pin applications in multiple app packages using the AUMID.
  • Updated the EnterpriseAssignedAccess XSD topic.

New nodes in the DevDetail CSP

Here are the changes to the DevDetail CSP:

  • Added TotalStore and TotalRAM settings.
  • Added support for Replace command for the DeviceName setting.

Handling large objects

Added support for the client to handle uploading of large objects to the server.

What's new in Windows 10, version 1607

Item Description

Sideloading of apps

Starting in Windows 10, version 1607, sideloading of apps is only allowed through EnterpriseModernAppManagement CSP. Product keys (5x5) will no longer be supported to enable sideloading on Windows 10, version 1607 devices.

New value for NodeCache CSP

In NodeCache CSP, the value of NodeCache root node starting in Windows 10, version 1607 is com.microsoft/1.0/MDM/NodeCache.

EnterpriseDataProtection CSP

New CSP.

Policy CSP

Removed the following policies:

  • DataProtection/AllowAzureRMSForEDP - moved this policy to EnterpriseDataProtection CSP
  • DataProtection/AllowUserDecryption - moved this policy to EnterpriseDataProtection CSP
  • DataProtection/EDPEnforcementLevel - moved this policy to EnterpriseDataProtection CSP
  • DataProtection/RequireProtectionUnderLockConfig - moved this policy to EnterpriseDataProtection CSP
  • DataProtection/RevokeOnUnenroll - moved this policy to EnterpriseDataProtection CSP
  • DataProtection/EnterpriseCloudResources - moved this policy to NetworkIsolation policy
  • DataProtection/EnterpriseInternalProxyServers - moved this policy to NetworkIsolation policy
  • DataProtection/EnterpriseIPRange - moved this policy to NetworkIsolation policy
  • DataProtection/EnterpriseNetworkDomainNames - moved this policy to NetworkIsolation policy
  • DataProtection/EnterpriseProxyServers - moved this policy to NetworkIsolation policy
  • Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices - this policy has been deprecated.

Added the WiFi/AllowManualWiFiConfiguration and WiFi/AllowWiFi policies for Windows 10, version 1607:

  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 10 Education

Added the following new policies:

  • AboveLock/AllowCortanaAboveLock
  • ApplicationManagement/DisableStoreOriginatedApps
  • Authentication/AllowSecondaryAuthenticationDevice
  • Bluetooth/AllowPrepairing
  • Browser/AllowExtensions
  • Browser/PreventAccessToAboutFlagsInMicrosoftEdge
  • Browser/ShowMessageWhenOpeningSitesInInternetExplorer
  • DeliveryOptimization/DOAbsoluteMaxCacheSize
  • DeliveryOptimization/DOMaxDownloadBandwidth
  • DeliveryOptimization/DOMinBackgroundQoS
  • DeliveryOptimization/DOModifyCacheDrive
  • DeliveryOptimization/DOMonthlyUploadDataCap
  • DeliveryOptimization/DOPercentageMaxDownloadBandwidth
  • DeviceLock/EnforceLockScreenAndLogonImage
  • DeviceLock/EnforceLockScreenProvider
  • Defender/PUAProtection
  • Experience/AllowThirdPartySuggestionsInWindowsSpotlight
  • Experience/AllowWindowsSpotlight
  • Experience/ConfigureWindowsSpotlightOnLockScreen
  • Experience/DoNotShowFeedbackNotifications
  • Licensing/AllowWindowsEntitlementActivation
  • Licensing/DisallowKMSClientOnlineAVSValidation
  • LockDown/AllowEdgeSwipe
  • Maps/EnableOfflineMapsAutoUpdate
  • Maps/AllowOfflineMapsDownloadOverMeteredConnection
  • Messaging/AllowMessageSync
  • NetworkIsolation/EnterpriseCloudResources
  • NetworkIsolation/EnterpriseInternalProxyServers
  • NetworkIsolation/EnterpriseIPRange
  • NetworkIsolation/EnterpriseIPRangesAreAuthoritative
  • NetworkIsolation/EnterpriseNetworkDomainNames
  • NetworkIsolation/EnterpriseProxyServers
  • NetworkIsolation/EnterpriseProxyServersAreAuthoritative
  • NetworkIsolation/NeutralResources
  • Notifications/DisallowNotificationMirroring
  • Privacy/DisableAdvertisingId
  • Privacy/LetAppsAccessAccountInfo
  • Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps
  • Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps
  • Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps
  • Privacy/LetAppsAccessCalendar
  • Privacy/LetAppsAccessCalendar_ForceAllowTheseApps
  • Privacy/LetAppsAccessCalendar_ForceDenyTheseApps
  • Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps
  • Privacy/LetAppsAccessCallHistory
  • Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps
  • Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps
  • Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps
  • Privacy/LetAppsAccessCamera
  • Privacy/LetAppsAccessCamera_ForceAllowTheseApps
  • Privacy/LetAppsAccessCamera_ForceDenyTheseApps
  • Privacy/LetAppsAccessCamera_UserInControlOfTheseApps
  • Privacy/LetAppsAccessContacts
  • Privacy/LetAppsAccessContacts_ForceAllowTheseApps
  • Privacy/LetAppsAccessContacts_ForceDenyTheseApps
  • Privacy/LetAppsAccessContacts_UserInControlOfTheseApps
  • Privacy/LetAppsAccessEmail
  • Privacy/LetAppsAccessEmail_ForceAllowTheseApps
  • Privacy/LetAppsAccessEmail_ForceDenyTheseApps
  • Privacy/LetAppsAccessEmail_UserInControlOfTheseApps
  • Privacy/LetAppsAccessLocation
  • Privacy/LetAppsAccessLocation_ForceAllowTheseApps
  • Privacy/LetAppsAccessLocation_ForceDenyTheseApps
  • Privacy/LetAppsAccessLocation_UserInControlOfTheseApps
  • Privacy/LetAppsAccessMessaging
  • Privacy/LetAppsAccessMessaging_ForceAllowTheseApps
  • Privacy/LetAppsAccessMessaging_ForceDenyTheseApps
  • Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps
  • Privacy/LetAppsAccessMicrophone
  • Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps
  • Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps
  • Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps
  • Privacy/LetAppsAccessMotion
  • Privacy/LetAppsAccessMotion_ForceAllowTheseApps
  • Privacy/LetAppsAccessMotion_ForceDenyTheseApps
  • Privacy/LetAppsAccessMotion_UserInControlOfTheseApps
  • Privacy/LetAppsAccessNotifications
  • Privacy/LetAppsAccessNotifications_ForceAllowTheseApps
  • Privacy/LetAppsAccessNotifications_ForceDenyTheseApps
  • Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps
  • Privacy/LetAppsAccessPhone
  • Privacy/LetAppsAccessPhone_ForceAllowTheseApps
  • Privacy/LetAppsAccessPhone_ForceDenyTheseApps
  • Privacy/LetAppsAccessPhone_UserInControlOfTheseApps
  • Privacy/LetAppsAccessRadios
  • Privacy/LetAppsAccessRadios_ForceAllowTheseApps
  • Privacy/LetAppsAccessRadios_ForceDenyTheseApps
  • Privacy/LetAppsAccessRadios_UserInControlOfTheseApps
  • Privacy/LetAppsAccessTrustedDevices
  • Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps
  • Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps
  • Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps
  • Privacy/LetAppsSyncWithDevices
  • Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps
  • Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps
  • Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps
  • Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
  • Settings/AllowEditDeviceName
  • Speech/AllowSpeechModelUpdate
  • System/TelemetryProxy
  • Update/ActiveHoursStart
  • Update/ActiveHoursEnd
  • Update/AllowMUUpdateService
  • Update/BranchReadinessLevel
  • Update/DeferFeatureUpdatesPeriodInDays
  • Update/DeferQualityUpdatesPeriodInDays
  • Update/ExcludeWUDriversInQualityUpdate
  • Update/PauseFeatureUpdates
  • Update/PauseQualityUpdates
  • Update/UpdateServiceUrlAlternate (Added in the January service release of Windows 10, version 1607)
  • WindowsInkWorkspace/AllowWindowsInkWorkspace
  • WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace
  • WirelessDisplay/AllowProjectionToPC
  • WirelessDisplay/RequirePinForPairing

Updated the Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts description to remove outdated information.

Updated DeliveryOptimization/DODownloadMode to add new values.

Updated Experience/AllowCortana description to clarify what each supported value does.

Updated Security/AntiTheftMode description to clarify what each supported value does.

DMClient CSP

Added the following settings:

  • ManagementServerAddressList
  • AADDeviceID
  • EnrollmentType
  • HWDevID
  • CommercialID

Removed the EnrollmentID setting.

DeviceManageability CSP

New CSP.

DeviceStatus CSP

Added the following new settings:

  • DeviceStatus/TPM/SpecificationVersion
  • DeviceStatus/OS/Edition
  • DeviceStatus/Antivirus/SignatureStatus
  • DeviceStatus/Antivirus/Status
  • DeviceStatus/Antispyware/SignatureStatus
  • DeviceStatus/Antispyware/Status
  • DeviceStatus/Firewall/Status
  • DeviceStatus/UAC/Status
  • DeviceStatus/Battery/Status
  • DeviceStatus/Battery/EstimatedChargeRemaining
  • DeviceStatus/Battery/EstimatedRuntime
AssignedAccess CSP

Added SyncML examples.

EnterpriseAssignedAccess CSP
  • Added a new Folder table entry in the AssignedAccess/AssignedAccessXml description.
  • Updated the DDF and XSD file sections.
SecureAssessment CSP

New CSP for Windows 10, version 1607

DiagnosticLog CSP

DiagnosticLog DDF

Added version 1.3 of the CSP with two new settings. Added the new 1.3 version of the DDF. Added the following new settings in Windows 10, version 1607.

  • DeviceStateData
  • DeviceStateData/MdmConfiguration
Reboot CSP

New CSP for Windows 10, version 1607

CMPolicyEnterprise CSP

New CSP for Windows 10, version 1607

VPNv2 CSP

Added the following settings for Windows 10, version 1607

  • ProfileName/RouteList/routeRowId/ExclusionRoute
  • ProfileName/DomainNameInformationList/dniRowId/AutoTrigger
  • ProfileName/DomainNameInformationList/dniRowId/Persistent
  • ProfileName/ProfileXML
  • ProfileName/DeviceCompliance/Enabled
  • ProfileName/DeviceCompliance/Sso
  • ProfileName/DeviceCompliance/Sso/Enabled
  • ProfileName/DeviceCompliance/Sso/IssuerHash
  • ProfileName/DeviceCompliance/Sso/Eku
  • ProfileName/NativeProfile/CryptographySuite
  • ProfileName/NativeProfile/CryptographySuite/AuthenticationTransformConstants
  • ProfileName/NativeProfile/CryptographySuite/CipherTransformConstants
  • ProfileName/NativeProfile/CryptographySuite/EncryptionMethod
  • ProfileName/NativeProfile/CryptographySuite/IntegrityCheckMethod
  • ProfileName/NativeProfile/CryptographySuite/DHGroup
  • ProfileName/NativeProfile/CryptographySuite/PfsGroup
  • ProfileName/NativeProfile/L2tpPsk
Win32AppInventory CSP

Win32AppInventory DDF

New CSP for Windows 10, version 1607.

SharedPC CSP

New CSP for Windows 10, version 1607.

WindowsAdvancedThreatProtection CSP

New CSP for Windows 10, version 1607.

MDM Bridge WMI Provider

Added new classes for Windows 10, version 1607.

MDM enrollment of Windows devices

Topic renamed from "Enrollment UI".

Completely updated enrollment procedures and screenshots.

UnifiedWriteFilter CSP

UnifiedWriteFilter DDF File

Added the following new setting for Windows 10, version 1607:

  • NextSession/HORMEnabled
CertificateStore CSP

CertificateStore DDF file

Added the following new settings in Windows 10, version 1607:

  • My/WSTEP/Renew/LastRenewalAttemptTime
  • My/WSTEP/Renew/RenewNow

WindowsLicensing CSP

Added the following new node and settings in Windows 10, version 1607, but not documented:

  • Subscriptions
  • Subscriptions/SubscriptionId
  • Subscriptions/SubscriptionId/Status
  • Subscriptions/SubscriptionId/Name

What's new in Windows 10, version 1703

Item Description

Update CSP

Added the following nodes:

  • FailedUpdates/Failed Update Guid/RevisionNumber
  • InstalledUpdates/Installed Update Guid/RevisionNumber
  • PendingRebootUpdates/Pending Reboot Update Guid/RevisionNumber
CM_CellularEntries CSP

To PurposeGroups setting, added the following values:

  • Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB
  • Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364

CertificateStore CSP

Added the following setting:

  • My/WSTEP/Renew/RetryAfterExpiryInterval

ClientCertificateInstall CSP

Added the following setting:

  • SCEP/UniqueID/Install/AADKeyIdentifierList

DMAcc CSP

Added the following setting:

  • AccountUID/EXT/Microsoft/InitiateSession

DMClient CSP

Added the following nodes and settings:

  • HWDevID
  • Provider/ProviderID/ManagementServerToUpgradeTo
  • Provider/ProviderID/CustomEnrollmentCompletePage
  • Provider/ProviderID/CustomEnrollmentCompletePage/Title
  • Provider/ProviderID/CustomEnrollmentCompletePage/BodyText
  • Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkHref
  • Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkText

CellularSettings CSP

CM_CellularEntries CSP

EnterpriseAPN CSP

For these CSPs, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.

SecureAssessment CSP

Added the following settings:

  • AllowTextSuggestions
  • RequirePrinting
EnterpriseAPN CSP

Added the following setting:

  • Roaming
Messaging CSP

Added new CSP. This CSP is only supported in Windows 10 Mobile and Mobile Enteprise editions.

Policy CSP

Added the following new policies:

  • Accounts/AllowMicrosoftAccountSignInAssistant
  • ApplicationDefaults/DefaultAssociationsConfiguration
  • Browser/AllowAddressBarDropdown
  • Browser/AllowFlashClickToRun
  • Browser/AllowMicrosoftCompatibilityList
  • Browser/AllowSearchEngineCustomization
  • Browser/ClearBrowsingDataOnExit
  • Browser/ConfigureAdditionalSearchEngines
  • Browser/DisableLockdownOfStartPages
  • Browser/PreventFirstRunPage
  • Browser/PreventLiveTileDataCollection
  • Browser/SetDefaultSearchEngine
  • Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
  • Connectivity/AllowConnectedDevices
  • DeliveryOptimization/DOAllowVPNPeerCaching
  • DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload
  • DeliveryOptimization/DOMinDiskSizeAllowedToPeer
  • DeliveryOptimization/DOMinFileSizeToCache
  • DeliveryOptimization/DOMinRAMAllowedToPeer
  • DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay
  • Display/TurnOffGdiDPIScalingForApps
  • Display/TurnOnGdiDPIScalingForApps
  • EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
  • EnterpriseCloudPrint/CloudPrintOAuthAuthority
  • EnterpriseCloudPrint/CloudPrintOAuthClientId
  • EnterpriseCloudPrint/CloudPrintResourceId
  • EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
  • EnterpriseCloudPrint/MopriaDiscoveryResourceId
  • Experience/AllowFindMyDevice
  • Experience/AllowTailoredExperiencesWithDiagnosticData
  • Experience/AllowWindowsSpotlightOnActionCenter
  • Experience/AllowWindowsSpotlightWindowsWelcomeExperience
  • Location/EnableLocation
  • Messaging/AllowMMS
  • Messaging/AllowRCS
  • Privacy/LetAppsAccessTasks
  • Privacy/LetAppsAccessTasks_ForceAllowTheseApps
  • Privacy/LetAppsAccessTasks_ForceDenyTheseApps
  • Privacy/LetAppsAccessTasks_UserInControlOfTheseApps
  • Privacy/LetAppsGetDiagnosticInfo
  • Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps
  • Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps
  • Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps
  • Privacy/LetAppsRunInBackground
  • Privacy/LetAppsRunInBackground_ForceAllowTheseApps
  • Privacy/LetAppsRunInBackground_ForceDenyTheseApps
  • Privacy/LetAppsRunInBackground_UserInControlOfTheseApps
  • Settings/ConfigureTaskbarCalendar
  • Settings/PageVisibilityList
  • SmartScreen/EnableAppInstallControl
  • SmartScreen/EnableSmartScreenInShell
  • SmartScreen/PreventOverrideForFilesInShell
  • Start/AllowPinnedFolderDocuments
  • Start/AllowPinnedFolderDownloads
  • Start/AllowPinnedFolderFileExplorer
  • Start/AllowPinnedFolderHomeGroup
  • Start/AllowPinnedFolderMusic
  • Start/AllowPinnedFolderNetwork
  • Start/AllowPinnedFolderPersonalFolder
  • Start/AllowPinnedFolderPictures
  • Start/AllowPinnedFolderSettings
  • Start/AllowPinnedFolderVideos
  • Start/HideAppList
  • Start/HideChangeAccountSettings
  • Start/HideFrequentlyUsedApps
  • Start/HideHibernate
  • Start/HideLock
  • Start/HidePowerButton
  • Start/HideRecentJumplists
  • Start/HideRecentlyAddedApps
  • Start/HideRestart
  • Start/HideShutDown
  • Start/HideSignOut
  • Start/HideSleep
  • Start/HideSwitchAccount
  • Start/HideUserTile
  • Start/ImportEdgeAssets
  • Start/NoPinningToTaskbar
  • System/AllowFontProviders
  • System/DisableOneDriveFileSync
  • TextInput/AllowKeyboardTextSuggestions
  • TimeLanguageSettings/AllowSet24HourClock
  • Update/ActiveHoursMaxRange
  • Update/AutoRestartDeadlinePeriodInDays
  • Update/AutoRestartNotificationSchedule
  • Update/AutoRestartRequiredNotificationDismissal
  • Update/DetectionFrequency
  • Update/EngagedRestartDeadline
  • Update/EngagedRestartSnoozeSchedule
  • Update/EngagedRestartTransitionSchedule
  • Update/IgnoreMOAppDownloadLimit
  • Update/IgnoreMOUpdateDownloadLimit
  • Update/PauseFeatureUpdatesStartTime
  • Update/PauseQualityUpdatesStartTime
  • Update/SetAutoRestartNotificationDisable
  • Update/SetEDURestart
  • WiFi/AllowWiFiDirect
  • WindowsLogon/HideFastUserSwitching
  • WirelessDisplay/AllowProjectionFromPC
  • WirelessDisplay/AllowProjectionFromPCOverInfrastructure
  • WirelessDisplay/AllowProjectionToPCOverInfrastructure
  • WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver

Removed TextInput/AllowLinguisticDataCollection

Starting in Windows 10, version 1703, Update/UpdateServiceUrl is not supported in Windows 10 Mobile Enteprise and IoT Enterprise

Starting in Windows 10, version 1703, the maximum value of Update/DeferFeatureUpdatesPeriodInDays has been increased from 180 days, to 365 days.

Starting in Windows 10, version 1703, in Browser/HomePages you can use the "<about:blank>" value if you don’t want to send traffic to Microsoft.

Starting in Windows 10, version 1703, Start/StartLayout can now be set on a per-device basis in addition to the pre-existing per-user basis.

Added the ConfigOperations/ADMXInstall node and setting, which is used to ingest ADMX files.

DevDetail CSP

Added the following setting:

  • DeviceHardwareData
CleanPC CSP

Added new CSP.

DeveloperSetup CSP

Added new CSP.

NetworkProxy CSP

Added new CSP.

BitLocker CSP

Added new CSP.

Added the following setting:

  • AllowWarningForOtherDiskEncryption
EnterpriseDataProtection CSP

Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.

Added the following settings:

  • RevokeOnMDMHandoff
  • SMBAutoEncryptedFileExtensions
DynamicManagement CSP

Added new CSP.

Implement server-side support for mobile application management on Windows

New mobile application management (MAM) support added in Windows 10, version 1703.

PassportForWork CSP

Added the following new node and settings:

  • TenantId/Policies/ExcludeSecurityDevices (only for ./Device/Vendor/MSFT)
  • TenantId/Policies/ExcludeSecurityDevices/TPM12 (only for ./Device/Vendor/MSFT)
  • TenantId/Policies/EnablePinRecovery
Office CSP

Added new CSP.

Personalization CSP

Added new CSP.

EnterpriseAppVManagement CSP

Added new CSP.

HealthAttestation CSP

Added the following settings:

  • HASEndpoint - added in Windows 10, version 1607, but not documented
  • TpmReadyStatus - added in the March service release of Windows 10, version 1607

SurfaceHub CSP

Added the following nodes and settings:

  • InBoxApps/SkypeForBusiness
  • InBoxApps/SkypeForBusiness/DomainName
  • InBoxApps/Connect
  • InBoxApps/Connect/AutoLaunch
  • Properties/DefaultVolume
  • Properties/ScreenTimeout
  • Properties/SessionTimeout
  • Properties/SleepTimeout
  • Properties/AllowSessionResume
  • Properties/AllowAutoProxyAuth
  • Properties/DisableSigninSuggestions
  • Properties/DoNotShowMyMeetingsAndFiles
NetworkQoSPolicy CSP

Added new CSP.

WindowsLicensing CSP

Added the following setting:

  • ChangeProductKey
WindowsAdvancedThreatProtection CSP

Added the following setting:

  • Configuration/TelemetryReportingFrequency
DMSessionActions CSP

Added new CSP.

SharedPC CSP

Added new settings in Windows 10, version 1703.

  • RestrictLocalStorage
  • KioskModeAUMID
  • KioskModeUserTileDisplayText
  • InactiveThreshold
  • MaxPageFileSizeMB

The default value for SetEduPolicies changed to false. The default value for SleepTimeout changed to 300.

RemoteLock CSP

Added following setting:

  • LockAndRecoverPIN
NodeCache CSP

Added following settings:

  • ChangedNodesData
  • AutoSetExpectedValue
Download all the DDF files for Windows 10, version 1703

Added a zip file containing the DDF XML files of the CSPs. The link to the download is available in the DDF topics of various CSPs.

RemoteWipe CSP

Added new setting in Windows 10, version 1703.

  • doWipeProtected
MDM Bridge WMI Provider

Added new classes and properties.

Understanding ADMX-backed policies

Added a section describing SyncML examples of various ADMX elements.

Win32 and Desktop Bridge app policy configuration New topic.
Deploy and configure App-V apps using MDM

Added a new topic describing how to deploy and configure App-V apps using MDM.

EnterpriseDesktopAppManagement CSP

Added new setting in the March service release of Windows 10, version 1607.

  • MSI/UpgradeCode/[Guid]
Reporting CSP

Added new settings in Windows 10, version 1703.

  • EnterpriseDataProtection/RetrieveByTimeRange/Type
  • EnterpriseDataProtection/RetrieveByCount/Type
Connecting your Windows 10-based device to work using a deep link

Added following deep link parameters to the table:

  • Username
  • Servername
  • Accesstoken
  • Deviceidentifier
  • Tenantidentifier
  • Ownership
MDM support for Windows 10 S

Updated the following topics to indicate MDM support in Windows 10 S.

TPMPolicy CSP New CSP added in Windows 10, version 1703.

What's new in Windows 10, version 1709

Item Description
The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2

The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:

  • UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
  • ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
  • DomainName - fully qualified domain name if the device is domain-joined.

For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.

Firewall CSP

Added new CSP in Windows 10, version 1709.

eUICCs CSP

Added new CSP in Windows 10, version 1709.

WindowsDefenderApplicationGuard CSP New CSP added in Windows 10, version 1709. Also added the DDF topic WindowsDefenderApplicationGuard DDF file.
CM_ProxyEntries CSP and CMPolicy CSP In Windows 10, version 1709, support for desktop SKUs were added to these CSPs. The table of SKU information in the Configuration service provider reference was updated.
WindowsDefenderApplicationGuard CSP New CSP added in Windows 10, version 1709. Also added the DDF topic WindowsDefenderApplicationGuard DDF file.
VPNv2 CSP

Added DeviceTunnel and RegisterDNS settings in Windows 10, version 1709.

DeviceStatus CSP

Added the following settings in Windows 10, version 1709:

  • DeviceStatus/DomainName
  • DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq
  • DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus
  • DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus
AssignedAccess CSP

Added the following setting in Windows 10, version 1709.

  • Configuration

Starting in Windows 10, version 1709, AssignedAccess CSP is supported in Windows 10 Pro.

DeviceManageability CSP

Added the following settings in Windows 10, version 1709:

  • Provider/ProviderID/ConfigInfo
  • Provider/ProviderID/EnrollmentInfo
Office CSP

Added the following setting in Windows 10, version 1709:

  • Installation/CurrentStatus
DMClient CSP

Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.

Bitlocker CSP

Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.

ADMX-backed policies in Policy CSP

Added new policies.

Microsoft Store for Business and Microsoft Store

Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.

MDM enrollment of Windows-based devices

New features in the Settings app:

  • User sees installation progress of critical policies during MDM enrollment.
  • User knows what policies, profiles, apps MDM has configured
  • IT helpdesk can get detailed MDM diagnostic information using client tools

For details, see Managing connection and Collecting diagnostic logs

Enroll a Windows 10 device automatically using Group Policy

Added new topic to introduce a new Group Policy for automatic MDM enrollment.

Policy CSP

Added the following new policies for Windows 10, version 1709:

  • Authentication/AllowAadPasswordReset
  • Authentication/AllowFidoDeviceSignon
  • Browser/LockdownFavorites
  • Browser/ProvisionFavorites
  • Cellular/LetAppsAccessCellularData
  • Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
  • Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
  • Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
  • CredentialProviders/DisableAutomaticReDeploymentCredentials
  • DeviceGuard/EnableVirtualizationBasedSecurity
  • DeviceGuard/RequirePlatformSecurityFeatures
  • DeviceGuard/LsaCfgFlags
  • ExploitGuard/ExploitProtectionSettings
  • Games/AllowAdvancedGamingServices
  • Handwriting/PanelDefaultModeDocked
  • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
  • LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
  • LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus
  • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
  • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
  • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
  • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
  • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
  • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
  • LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
  • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
  • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
  • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
  • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
  • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
  • Power/DisplayOffTimeoutOnBattery
  • Power/DisplayOffTimeoutPluggedIn
  • Power/HibernateTimeoutOnBattery
  • Power/HibernateTimeoutPluggedIn
  • Power/StandbyTimeoutOnBattery
  • Power/StandbyTimeoutPluggedIn
  • Privacy/EnableActivityFeed
  • Privacy/PublishUserActivities
  • Defender/AttackSurfaceReductionOnlyExclusions
  • Defender/AttackSurfaceReductionRules
  • Defender/CloudBlockLevel
  • Defender/CloudExtendedTimeout
  • Defender/ControlledFolderAccessAllowedApplications
  • Defender/ControlledFolderAccessProtectedFolders
  • Defender/EnableControlledFolderAccess
  • Defender/EnableNetworkProtection
  • Education/DefaultPrinterName
  • Education/PreventAddingNewPrinters
  • Education/PrinterNames
  • Search/AllowCloudSearch
  • Security/ClearTPMIfNotReady
  • Start/HidePeopleBar
  • Storage/AllowDiskHealthModelUpdates
  • System/LimitEnhancedDiagnosticDataWindowsAnalytics
  • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
  • Update/DisableDualScan
  • Update/ManagePreviewBuilds
  • Update/ScheduledInstallEveryWeek
  • Update/ScheduledInstallFirstWeek
  • Update/ScheduledInstallFourthWeek
  • Update/ScheduledInstallSecondWeek
  • Update/ScheduledInstallThirdWeek
  • WindowsDefenderSecurityCenter/CompanyName
  • WindowsDefenderSecurityCenter/DisableAppBrowserUI
  • WindowsDefenderSecurityCenter/DisableEnhancedNotifications
  • WindowsDefenderSecurityCenter/DisableFamilyUI
  • WindowsDefenderSecurityCenter/DisableHealthUI
  • WindowsDefenderSecurityCenter/DisableNetworkUI
  • WindowsDefenderSecurityCenter/DisableNotifications
  • WindowsDefenderSecurityCenter/DisableVirusUI
  • WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride
  • WindowsDefenderSecurityCenter/Email
  • WindowsDefenderSecurityCenter/EnableCustomizedToasts
  • WindowsDefenderSecurityCenter/EnableInAppCustomization
  • WindowsDefenderSecurityCenter/Phone
  • WindowsDefenderSecurityCenter/URL
  • WirelessDisplay/AllowMdnsAdvertisement
  • WirelessDisplay/AllowMdnsDiscovery

Breaking changes and known issues

Get command inside an atomic command is not supported

In Windows 10, a Get command inside an atomic command is not supported. This was allowed in Windows Phone 8 and Windows Phone 8.1.

Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10

During an upgrade from Windows 8.1 to Windows 10, the notification channel URI information is not preserved. In addition, the MDM client loses the PFN, AppID, and client secret.

After upgrading to Windows 10, you should call MDM_WNSConfiguration class to recreate the notification channel URI.

Apps installed using WMI classes are not removed

Applications installed using WMI classes are not removed when the MDM account is removed from device.

Passing CDATA in SyncML does not work

Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windows 10. It worked in Windows Phone 8.

SSL settings in IIS server for SCEP must be set to "Ignore"

The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10. In Windows Phone 8.1, when you set the client certificate to "Accept," it works fine.

ssl settings

MDM enrollment fails on the mobile device when traffic is going through proxy

When the mobile device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that does not require authentication or remove the proxy setting from the connected network.

Server-initiated unenrollment failure

Server-initiated unenrollment for a device enrolled by adding a work account silently fails leaving the MDM account active. MDM policies and resources are still in place and the client can continue to sync with the server.

Remote server unenrollment is disabled for mobile devices enrolled via Azure Active Directory Join. It returns an error message to the server. The only way to remove enrollment for a mobile device that is Azure AD joined is by remotely wiping the device.

Certificates causing issues with Wi-Fi and VPN

Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.

Version information for mobile devices

The software version information from DevDetail/SwV does not match the version in Settings under System/About.

Upgrading Windows Phone 8.1 devices with app whitelisting using ApplicationRestriction policy has issues

  • When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile using ApplicationRestrictions with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the inbox apps that you need to your list of allowed apps.

    Here's additional guidance for the upgrade process:

    • Use Windows 10 product IDs for the apps listed in inbox apps.
    • Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher rule if you are using it.
    • In the SyncML, you must use lowercase product ID.
    • Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
  • Silverlight xaps may not install even if publisher policy is specified using Windows Phone 8.1 publisher rule. For example, Silverlight app "Level" will not install even if you specify <Publisher PublisherName=”Microsoft Corporation” />.

    To workaround this issue, remove the Windows Phone 8.1 publisher rule and add the specific product ID for each Silverlight app you want to allow to the allowed app list.

  • Some apps (specifically those that are published in Microsoft Store as AppX Bundles) are blocked from installing even when they are included in the app list.

    No workaround is available at this time. An OS update to fix this issue is coming soon.

Apps dependent on Microsoft Frameworks may get blocked in phones prior to build 10586.218

Applies only to phone prior to build 10586.218: When ApplicationManagement/ApplicationRestrictions policy is deployed to Windows 10 Mobile, installation and update of apps dependent on Microsoft Frameworks may get blocked with error 0x80073CF9. To work around this issue, you must include the Microsoft Framework Id to your list of allowed apps.

<App ProductId="{00000000-0000-0000-0000-000000000000}" PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"/>

Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile

In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate.

Enterprises deploying certificate based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This can lead to issues such as:

  • The user may be prompted to select the certificate.
  • The wrong certificate may get auto selected and cause an authentication failure.

A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication.

EAP XML must be updated with relevant information for your environment This can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:

  • For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile.
  • For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field.

For information about EAP Settings, see https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct

For information about generating an EAP XML, see EAP configuration

For more information about extended key usage, see http://tools.ietf.org/html/rfc5280#section-4.2.1.12

For information about adding extended key usage (EKU) to a certificate, see https://technet.microsoft.com/library/cc731792.aspx

The following list describes the prerequisites for a certificate to be used with EAP:

  • The certificate must have at least one of the following EKU (Extended Key Usage) properties:

    • Client Authentication
    • As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2
    • Any Purpose
    • An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that additional non-critical or custom EKUs can still be added to the certificate for effective filtering.
    • All Purpose
    • As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but does not want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes.
  • The user or the computer certificate on the client chains to a trusted root CA
  • The user or the computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
  • The user or the computer certificate does not fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
  • The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.

The following XML sample explains the properties for the EAP TLS XML including certificate filtering.

Note For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements.

<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
 <EapMethod>
  <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
  <!--The above property defines the Method type for EAP, 13 means EAP TLS -->

  <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
  <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
  <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
  <!--The 3 properties above define the method publishers, this is seen primarily in 3rd party Vendor methods.-->
  <!-- For Microsoft EAP TLS the value of the above fields will always be 0 --> 
 </EapMethod>
 <!-- Now that the EAP Method is Defined we will go into the Configuration --> 
 <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
  <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
   <Type>13</Type>
   <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
    <CredentialsSource>
     <!-- Credential Source can be either CertificateStore or SmartCard --> 
     <CertificateStore>
      <SimpleCertSelection>true</SimpleCertSelection>
      <!--SimpleCertSelection automatically selects a cert if there are mutiple identical (Same UPN, Issuer, etc.) certs.-->
      <!--It uses a combination of rules to select the right cert-->
     </CertificateStore>
    </CredentialsSource>
    <ServerValidation>
     <!-- ServerValidation fields allow for checks on whether the server being connected to and the server cert being used are trusted -->
     <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
     <ServerNames/>
    </ServerValidation>
    <DifferentUsername>false</DifferentUsername>
    <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation>
    <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
    <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
     <!-- For filtering the relevant information is below -->
     <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
      <CAHashList Enabled="true">
       <!-- The above implies that you want to filter by Issuer Hash -->
       <IssuerHash>ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
        <!-- Issuing certs thumbprint goes here-->
       </IssuerHash>
       <!-- You can add multiple entries and it will find the list of certs that have at least one of these certs in its chain--> 
      </CAHashList>
      <EKUMapping>
       <!-- This section defines Custom EKUs that you may be adding-->
       <!-- You do not need this section if you do not have custom EKUs -->
       <!-- You can have multiple EKUs defined here and then referenced below as shown -->
       <EKUMap>
        <EKUName>
         <!--Add a friendly Name for an EKU here for example -->ContostoITEKU</EKUName> 
        <EKUOID>
         <!--Add the OID Value your CA adds to the certificate here, for example -->1.3.6.1.4.1.311.42.1.15</EKUOID> 
       </EKUMap>
        <!-- All the EKU Names referenced in the example below must first be defined here
       <EKUMap>
        <EKUName>Example1</EKUName>
        <EKUOID>2.23.133.8.3</EKUOID>

       </EKUMap>
       <EKUMap>
        <EKUName>Example2</EKUName>
        <EKUOID>1.3.6.1.4.1.311.20.2.1</EKUOID>
       </EKUMap>
       -->
      </EKUMapping>
      <ClientAuthEKUList Enabled="true">
       <!-- The above implies that you want certs with Client Authentication EKU to be used for authentication -->
       <EKUMapInList>
        <!-- This section implies that the certificate should have the following custom EKUs in addition to the Client Authentication EKU -->
        <EKUName>
         <!--Use the name from the EKUMap Field above-->ContostoITEKU</EKUName> 
       </EKUMapInList>
       <!-- You can have multiple Custom EKUs mapped here, Each additional EKU will be processed with an AND operand -->
       <!-- For example, Client Auth EKU AND ContosoITEKU AND Example1 etc. -->
       <EKUMapInList>
        <EKUName>Example1</EKUName>
       </EKUMapInList>
      </ClientAuthEKUList>
      <AllPurposeEnabled>true</AllPurposeEnabled>
      <!-- Implies that a certificate with the EKU field = 0 will be selected --> 
      <AnyPurposeEKUList Enabled="true"/>
      <!-- Implies that a certificate with the EKU oid Value of 1.3.6.1.4.1.311.10.12.1 will be selected --> 
      <!-- Like for Client Auth you can also add Custom EKU properties with AnyPurposeEKUList (but not with AllPurposeEnabled) -->
      <!-- So here is what the above policy implies. 
      The certificate selected will have
      Issuer Thumbprint = ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      AND
      ((Client Authentication EKU AND ContosoITEKU) OR (AnyPurposeEKU) OR AllPurpose Certificate)

      Any certificate(s) that match these criteria will be utilised for authentication
      -->
     </FilteringInfo>
    </TLSExtensions>
   </EapType>
  </Eap>
 </Config>
</EapHostConfig>

Note The EAP TLS XSD is located at %systemdrive%\Windows\schemas\EAPMethods\eaptlsconnectionpropertiesv3.xsd

Alternatively you can use the following procedure to create an EAP Configuration XML.

  1. Follow steps 1 through 7 in the EAP configuration topic.
  2. In the Microsoft VPN SelfHost Properties dialog box, select Microsoft : Smart Card or other Certificate from the drop down (this selects EAP TLS.)

    vpn selfhost properties window

    Note For PEAP or TTLS, select the appropriate method and continue following this procedure.

  3. Click the Properties button underneath the drop down menu.

  4. In the Smart Card or other Certificate Properties menu, select the Advanced button.

    smart card or other certificate properties window

  5. In the Configure Certificate Selection menu, adjust the filters as needed.

    configure certificate selection window

  6. Click OK to close the windows to get back to the main rasphone.exe dialog box.
  7. Close the rasphone dialog box.
  8. Continue following the procedure in the EAP configuration topic from Step 9 to get an EAP TLS profile with appropriate filtering.

Note You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the Extensible Authentication Protocol (EAP) Settings for Network Access topic.

Remote PIN reset not supported in Azure Active Directory joined mobile devices

In Windows 10 Mobile, remote PIN reset in Azure AD joined devices are not supported. Devices are wiped when you issue a remote PIN reset command using the RemoteLock CSP.

MDM client will immediately check-in with the MDM server after client renews WNS channel URI

Starting in Windows 10, after the MDM client automatically renews the WNS channel URI, the MDM client will immediately check-in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary.

User provisioning failure in Azure Active Directory joined Windows 10 PC

In Azure AD joined Windows 10 PC, provisioning /.User resources fails when the user is not logged in as an Azure AD user. If you attempt to join Azure AD from Settings > System > About user interface, make sure to log off and log on with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design.

Requirements to note for VPN certificates also used for Kerberos Authentication

If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premise resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that do not meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. This issue primarily impacts Windows Phone.

Device management agent for the push-button reset is not working

The DM agent for push-button reset keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service.

Change history in MDM documentation

November 2017

New or updated topic Description
Policy CSP

Added the following policies for Windows 10, version 1709:

  • Authentication/AllowFidoDeviceSignon
  • Cellular/LetAppsAccessCellularData
  • Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
  • Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
  • Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
  • Start/HidePeopleBar
  • Storage/EnhancedStorageDevices
  • Update/ManagePreviewBuilds
  • WirelessDisplay/AllowMdnsAdvertisement
  • WirelessDisplay/AllowMdnsDiscovery

Added missing policies from previous releases:

  • Connectivity/DisallowNetworkConnectivityActiveTest
  • Search/AllowWindowsIndexer

October 2017

New or updated topic Description
Policy DDF file

Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.

Policy CSP

Updated the following policies:

  • Defender/ControlledFolderAccessAllowedApplications - string separator is |.
  • Defender/ControlledFolderAccessProtectedFolders - string separator is |.
eUICCs CSP

Added new CSP in Windows 10, version 1709.

AssignedAccess CSP

Added SyncML examples for the new Configuration node.

DMClient CSP

Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.

September 2017

New or updated topic Description
Policy CSP

Added the following new policies for Windows 10, version 1709:

  • Authentication/AllowAadPasswordReset
  • Handwriting/PanelDefaultModeDocked
  • Search/AllowCloudSearch
  • System/LimitEnhancedDiagnosticDataWindowsAnalytics

Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.

AssignedAccess CSP

Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.

Microsoft Store for Business and Microsoft Store

Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.

The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2

The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:

  • UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
  • ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
  • DomainName - fully qualified domain name if the device is domain-joined.

For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.

EntepriseAPN CSP

Added a SyncML example.

VPNv2 CSP

Added RegisterDNS setting in Windows 10, version 1709.

Enroll a Windows 10 device automatically using Group Policy

Added new topic to introduce a new Group Policy for automatic MDM enrollment.

MDM enrollment of Windows-based devices

New features in the Settings app:

  • User sees installation progress of critical policies during MDM enrollment.
  • User knows what policies, profiles, apps MDM has configured
  • IT helpdesk can get detailed MDM diagnostic information using client tools

For details, see Managing connections and Collecting diagnostic logs

August 2017

New or updated topic Description
Enable ADMX-backed policies in MDM

Added new step-by-step guide to enable ADMX-backed policies.

Mobile device enrollment

Added the following statement:

  • Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
CM_CellularEntries CSP

Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.

EnterpriseDataProtection CSP

Updated the Settings/EDPEnforcementLevel values to the following:

  • 0 (default) – Off / No protection (decrypts previously protected data).
  • 1 – Silent mode (encrypt and audit only).
  • 2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
  • 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
AppLocker CSP

Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Whitelist examples.

DeviceManageability CSP

Added the following settings in Windows 10, version 1709:

  • Provider/ProviderID/ConfigInfo
  • Provider/ProviderID/EnrollmentInfo
Office CSP

Added the following setting in Windows 10, version 1709:

  • Installation/CurrentStatus
BitLocker CSP Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.
Firewall CSP Updated the CSP and DDF topics. Here are the changes:
  • Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.
  • Changed some data types from integer to bool.
  • Updated the list of supported operations for some settings.
  • Added default values.
Policy DDF file Added another Policy DDF file download for the 8C release of Windows 10, version 1607, which added the following policies:
  • Browser/AllowMicrosoftCompatibilityList
  • Update/DisableDualScan
  • Update/FillEmptyContentUrls
Policy CSP

Added the following new policies for Windows 10, version 1709:

  • Browser/ProvisionFavorites
  • Browser/LockdownFavorites
  • ExploitGuard/ExploitProtectionSettings
  • Games/AllowAdvancedGamingServices
  • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
  • LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
  • LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus
  • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
  • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
  • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
  • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
  • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
  • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
  • LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
  • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
  • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
  • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
  • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
  • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
  • Privacy/EnableActivityFeed
  • Privacy/PublishUserActivities
  • Update/DisableDualScan
  • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork

Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.

Changed the names of the following policies:

  • Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications
  • Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders
  • Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess

Added links to the additional ADMX-backed BitLocker policies.

There were issues reported with the previous release of the following policies. These issues were fixed in Window 10, version 1709:

  • Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts
  • Start/HideAppList

July 2017

New or updated topic Description
VPNv2 CSP

Added DeviceTunnel profile in Windows 10, version 1709.

BitLocker CSP Added the following statements:.
  • When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.
  • When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
Policy CSP

Added the following new policies for Windows 10, version 1709:

  • Education/DefaultPrinterName
  • Education/PreventAddingNewPrinters
  • Education/PrinterNames
  • Security/ClearTPMIfNotReady
  • WindowsDefenderSecurityCenter/CompanyName
  • WindowsDefenderSecurityCenter/DisableAppBrowserUI
  • WindowsDefenderSecurityCenter/DisableEnhancedNotifications
  • WindowsDefenderSecurityCenter/DisableFamilyUI
  • WindowsDefenderSecurityCenter/DisableHealthUI
  • WindowsDefenderSecurityCenter/DisableNetworkUI
  • WindowsDefenderSecurityCenter/DisableNotifications
  • WindowsDefenderSecurityCenter/DisableVirusUI
  • WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride
  • WindowsDefenderSecurityCenter/Email
  • WindowsDefenderSecurityCenter/EnableCustomizedToasts
  • WindowsDefenderSecurityCenter/EnableInAppCustomization
  • WindowsDefenderSecurityCenter/Phone
  • WindowsDefenderSecurityCenter/URL

Experience/AllowFindMyDevice - updated the description to include active digitizers.

EnterpriseDesktopAppManagement CSP Added the following statement to MSI/ProductID/DownloadInstall:
  • In Windows 10, version 1703 service release, a new tag "DownloadFromAad" was added to the "Enforcement" section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.
EnterpriseAssignedAccess CSP Added the following information about the settings pages in AssigneAccessXML:
  • Starting in Windows 10, version 1703, you can specify the settings pages using the settings URI. For example, in place of SettingPageDisplay, you would use ms-settings:display. See ms-settings: URI scheme reference to find the URI for each settings page.
  • In Windows 10, version 1703, Quick action settings no longer require any dependencies from related group or page.
DeviceStatus CSP

Added the following settings in Windows 10, version 1709:

  • DeviceStatus/DomainName
  • DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq
  • DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus
  • DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus
AssignedAccess CSP

Here are the changes in Windows 10, version 1709.

  • Added Configuration node

Starting in Windows 10, version 1709, AssignedAccess CSP is supported in Windows 10 Pro.

SurfaceHub CSP

Changed PasswordRotationPeriod to PasswordRotationEnabled.

June 2017

New or updated topic Description
Win32 and Desktop Bridge app policy configuration Added a list of registry locations that ingested policies are allowed to write to.
Firewall CSP Added the following nodes:
  • Profiles
  • Direction
  • InterfaceTypes
  • EdgeTraversal
  • Status
Also Added Firewall DDF file.
TPMPolicy CSP New CSP added in Windows 10, version 1703.
Policy CSP

Added the following new policies for Windows 10, version 1703:

  • Start/AllowPinnedFolderDocuments
  • Start/AllowPinnedFolderDownloads
  • Start/AllowPinnedFolderFileExplorer
  • Start/AllowPinnedFolderHomeGroup
  • Start/AllowPinnedFolderMusic
  • Start/AllowPinnedFolderNetwork
  • Start/AllowPinnedFolderPersonalFolder
  • Start/AllowPinnedFolderPictures
  • Start/AllowPinnedFolderSettings
  • Start/AllowPinnedFolderVideos
  • Update/AutoRestartDeadlinePeriodInDays

Added the following new policies for Windows 10, version 1709:

  • CredentialProviders/EnableWindowsAutoPilotResetCredentials
  • DeviceGuard/EnableVirtualizationBasedSecurity
  • DeviceGuard/RequirePlatformSecurityFeatures
  • DeviceGuard/LsaCfgFlags
  • Power/DisplayOffTimeoutOnBattery
  • Power/DisplayOffTimeoutPluggedIn
  • Power/HibernateTimeoutOnBattery
  • Power/HibernateTimeoutPluggedIn
  • Power/StandbyTimeoutOnBattery
  • Power/StandbyTimeoutPluggedIn
  • Defender/AttackSurfaceReductionOnlyExclusions
  • Defender/AttackSurfaceReductionRules
  • Defender/CloudBlockLevel
  • Defender/CloudExtendedTimeout
  • Defender/EnableGuardMyFolders
  • Defender/EnableNetworkProtection
  • Defender/GuardedFoldersAllowedApplications
  • Defender/GuardedFoldersList
  • Update/ScheduledInstallEveryWeek
  • Update/ScheduledInstallFirstWeek
  • Update/ScheduledInstallFourthWeek
  • Update/ScheduledInstallSecondWeek
  • Update/ScheduledInstallThirdWeek

EnterpriseCloudPrint/DiscoveryMaxPrinterLimit is only supported in Windows 10 Mobile and Mobile Enterprise.

WindowsAdvancedThreatProtection CSP Updated the CSP in Windows 10, version 1709. Added the following settings:
  • DeviceTagging/Group
  • DeviceTagging/Criticality
WindowsDefenderApplicationGuard CSP New CSP added in Windows 10, version 1709. Also added the DDF topic WindowsDefenderApplicationGuard DDF file.
DynamicManagement CSP The DynamicManagement CSP is not supported in Windows 10 Mobile and Mobile Enterprise. The table of SKU information in the Configuration service provider reference was updated.
CM_ProxyEntries CSP and CMPolicy CSP In Windows 10, version 1709, support for desktop SKUs were added to these CSPs. The table of SKU information in the Configuration service provider reference was updated.

May 2017

New or updated topic Description
Policy CSP

Added the following new policies for Windows 10, version 1703:

  • Browser/AllowFlashClickToRun
  • Experience/AllowFindMyDevice
  • Privacy/LetAppsAccessTasks
  • Privacy/LetAppsAccessTasks_ForceAllowTheseApps
  • Privacy/LetAppsAccessTasks_ForceDenyTheseApps
  • Privacy/LetAppsAccessTasks_UserInControlOfTheseApps

Starting in Windows 10, version 1703, the maximum value of Update/DeferFeatureUpdatesPeriodInDays has been increased from 180 days, to 365 days.

Added a statment that the following policies must target ./User.

  • EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
  • EnterpriseCloudPrint/CloudPrintOAuthAuthority
  • EnterpriseCloudPrint/CloudPrintOAuthClientId
  • EnterpriseCloudPrint/CloudPrintResourceId
  • EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
  • EnterpriseCloudPrint/MopriaDiscoveryResourceId
Understanding ADMX-backed policies

Added a section describing SyncML examples of various ADMX elements.

BitLocker CSP

Added the following setting:

  • AllowWarningForOtherDiskEncryption

Note that SystemDrivesMinimumPINLength is 6 digits instead of 4.

Reporting CSP

Added new settings in Windows 10, version 1703.

  • EnterpriseDataProtection/RetrieveByTimeRange/Type
  • EnterpriseDataProtection/RetrieveByCount/Type
Connecting your Windows 10-based device to work using a deep link

Added following deep link parameters to the table:

  • Username
  • Servername
  • Accesstoken
  • Deviceidentifier
  • Tenantidentifier
  • Ownership
Firewall CSP

Added new CSP in Windows 10, version 1709.

MDM support for Windows 10 S

Updated the following topics to indicate MDM support in Windows 10 S.

April 2017

New or updated topic Description
Policy CSP

Added the following new policies for Windows 10, version 1703:

  • DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay
  • Start/ImportEdgeAssets
  • Update/DetectionFrequency
  • Update/PauseFeatureUpdatesStartTime
  • Update/PauseQualityUpdatesStartTime
  • Update/SetEDURestart
  • WiFi/AllowWiFiDirect
  • WirelessDisplay/AllowProjectionFromPC
  • WirelessDisplay/AllowProjectionFromPCOverInfrastructure
  • WirelessDisplay/AllowProjectionToPCOverInfrastructure
  • WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver

DeviceLock/EnforceLockScreenAndLogonImage is not supported in Windows 10 Pro edition.

DMSessionActions CSP

Added new CSP for Windows 10, version 1703.

CertificateStore CSP

Updated in Windows 10, version 1703. Added the following setting:

  • My/WSTEP/Renew/RetryAfterExpiryInterval

ClientCertificateInstall CSP

Updated in Windows 10, version 1703. Added the following setting:

  • SCEP/UniqueID/Install/AADKeyIdentifierList

DMAcc CSP

Updated in Windows 10, version 1703. Added the following setting:

  • AccountUID/EXT/Microsoft/InitiateSession

DMClient CSP

Updated in Windows 10, version 1703. Added the following nodes and settings:

  • HWDevID
  • Provider/ProviderID/ManagementServerToUpgradeTo
  • Provider/ProviderID/CustomEnrollmentCompletePage
  • Provider/ProviderID/CustomEnrollmentCompletePage/Title
  • Provider/ProviderID/CustomEnrollmentCompletePage/BodyText
  • Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkHref
  • Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkText
SharedPC CSP

Added new settings in Windows 10, version 1703.

  • RestrictLocalStorage
  • KioskModeAUMID
  • KioskModeUserTileDisplayText
  • InactiveThreshold
  • MaxPageFileSizeMB

The default value for SetEduPolicies changed to false. The default value for SleepTimeout changed to 300.

RemoteLock CSP

Added following setting:

  • LockAndRecoverPIN
NodeCache CSP

Added following settings:

  • ChangedNodesData
  • AutoSetExpectedValue
Download all the DDF files for Windows 10, version 1703

Added a zip file containing the DDF XML files of the CSPs. The link to the download is available in the DDF topics of various CSPs.

RemoteWipe CSP

Added new setting in Windows 10, version 1703.

  • doWipeProtected
EnterpriseDesktopAppManagement CSP

Added new setting in the March service release of Windows 10, version 1607.

  • MSI/UpgradeCode/[Guid]
MDM Bridge WMI Provider

Updated for Windows 10, version 1703. Added new classes and properties.

Deploy and configure App-V apps using MDM

Added a new topic describing how to deploy and configure App-V apps using MDM.

March 2017

New or updated topic Description
Policy CSP

Added the following new policies for Windows 10, version 1703:

  • Accounts/AllowMicrosoftAccountSignInAssistant
  • Connectivity/AllowConnectedDevices
  • Display/TurnOffGdiDPIScalingForApps
  • Display/TurnOnGdiDPIScalingForApps
  • Location/EnableLocation
  • SmartScreen/EnableAppInstallControl
  • SmartScreen/EnableSmartScreenInShell
  • SmartScreen/PreventOverrideForFilesInShell
  • Update/IgnoreMOAppDownloadLimit
  • Update/IgnoreMOUpdateDownloadLimit

For Windows 10, version 1703, added the ConfigOperations/ADMXInstall node and setting, which is used to ingest ADMX files.

DeviceLock/DevicePasswordEnabled in Policy CSP

Added the following note:

DevicePasswordEnabled should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If DevicePasswordEnabled is set to Enabled(0) then Policy CSP will return an error stating that DevicePasswordEnabled already exists. Windows 8.x did not support DevicePassword policy. When disabling DevicePasswordEnabled (1) then this should be the only policy set from the DeviceLock group of policies listed below:

  • DevicePasswordEnabled is the parent policy of the following:
    • AllowSimpleDevicePassword
    • MinDevicePasswordLength
    • AlphanumericDevicePasswordRequired
      • MinDevicePasswordComplexCharacters
    • MaxDevicePasswordFailedAttempts
    • MaxInactivityTimeDeviceLock
Personalization CSP

Added new CSP for Windows 10, version 1703.

EnterpriseAppVManagement CSP

Added new CSP for Windows 10, version 1703.

HealthAttestation CSP

Added the following settings:.

  • HASEndpoint - added in Windows 10, version 1607, but not documented
  • TpmReadyStatus - added in the March service release of Windows 10, version 1607

SurfaceHub CSP

Updated in Windows 10, version 1703. Added the following nodes and settings:

  • InBoxApps/SkypeForBusiness
  • InBoxApps/SkypeForBusiness/DomainName
  • InBoxApps/Connect
  • InBoxApps/Connect/AutoLaunch
  • Properties/DefaultVolume
  • Properties/ScreenTimeout
  • Properties/SessionTimeout
  • Properties/SleepTimeout
  • Properties/AllowSessionResume
  • Properties/AllowAutoProxyAuth
  • Properties/DisableSigninSuggestions
  • Properties/DoNotShowMyMeetingsAndFiles
NetworkQoSPolicy CSP

Added new CSP for Windows 10, version 1703.

EnterpriseAPN CSP

Added the following setting:

  • Roaming

WindowsLicensing CSP

Added the following setting for Windows 10, version 1703:

  • ChangeProductKey

Added the following new node and settings in Windows 10, version 1607, but not previously documented:

  • Subscriptions
  • Subscriptions/SubscriptionId
  • Subscriptions/SubscriptionId/Status
  • Subscriptions/SubscriptionId/Name
EnterpriseDataProtection CSP

Added the following settings:

  • RevokeOnMDMHandoff
  • SMBAutoEncryptedFileExtensions
WindowsAdvancedThreatProtection CSP

Updated in Windows 10, version 1703. Added the following setting:

  • Configuration/TelemetryReportingFrequency

February 2017

New or updated topic Description
SecureAssessment CSP

Updated the following setting names:

  • AllowScreenMonitoring - previously ScreenCaptureCapability
  • RequirePrinting - previously PrintingCapability
EnterpriseDataProtection CSP

Added the following statement to Settings/EDPShowIcons:

  • Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app.
Policy CSP

Added the following new policies for Windows 10, version 1703:

  • ApplicationDefaults/DefaultAssociationsConfiguration
  • Browser/AllowAddressBarDropdown
  • Browser/AllowMicrosoftCompatibilityList
  • Browser/AllowSearchEngineCustomization
  • Browser/ClearBrowsingDataOnExit
  • Browser/ConfigureAdditionalSearchEngines
  • Browser/DisableLockdownOfStartPages
  • Browser/PreventFirstRunPage
  • Browser/PreventLiveTileDataCollection
  • Browser/SetDefaultSearchEngine
  • Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
  • Connectivity/AllowConnectedDevices
  • DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload
  • Experience/AllowTailoredExperiencesWithDiagnosticData
  • Experience/AllowWindowsSpotlightOnActionCenter
  • Experience/AllowWindowsSpotlightWindowsWelcomeExperience
  • Settings/ConfigureTaskbarCalendar
  • Settings/PageVisibilityList
  • Start/HideAppList
  • Start/HideChangeAccountSettings
  • Start/HideFrequentlyUsedApps
  • Start/HideHibernate
  • Start/HideLock
  • Start/HidePowerButton
  • Start/HideRecentJumplists
  • Start/HideRecentlyAddedApps
  • Start/HideRestart
  • Start/HideShutDown
  • Start/HideSignOut
  • Start/HideSleep
  • Start/HideSwitchAccount
  • Start/HideUserTile
  • Start/NoPinningToTaskbar
  • System/AllowFontProviders
  • System/DisableOneDriveFileSync
  • TextInput/AllowKeyboardTextSuggestions
  • TimeLanguageSettings/AllowSet24HourClock
  • Update/ActiveHoursMaxRange
  • Update/AutoRestartNotificationSchedule
  • Update/AutoRestartRequiredNotificationDismissal
  • Update/EngagedRestartDeadline
  • Update/EngagedRestartSnoozeSchedule
  • Update/EngagedRestartTransitionSchedule
  • Update/SetAutoRestartNotificationDisable
  • WindowsLogon/HideFastUserSwitching

Starting in Windows 10, version 1703, Update/UpdateServiceUrl is not supported in Windows 10 Mobile Enteprise and IoT Enterprise

Starting in Windows 10, version 1703, in Browser/HomePages you can use the "<about:blank>" value if you don’t want to send traffic to Microsoft.

Starting in Windows 10, version 1703, Start/StartLayout can now be set on a per-device basis in addition to the pre-existing per-user basis.

NetworkProxy CSP

Added new CSP for Windows 10, version 1703.

BitLocker CSP

Added new CSP for Windows 10, version 1703.

EnterpriseDataProtection CSP

Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.

DynamicManagement CSP

Added new CSP for Windows 10, version 1703.

Implement server-side support for mobile application management on Windows

New mobile application management (MAM) support added in Windows 10, version 1703.

PassportForWork CSP

Updated in Windows 10, version 1703. Added the following new node and settings:

  • TenantId/Policies/ExcludeSecurityDevices (only for ./Device/Vendor/MSFT)
  • TenantId/Policies/ExcludeSecurityDevices/TPM12 (only for ./Device/Vendor/MSFT)
  • TenantId/Policies/EnablePinRecovery
Office CSP

Added new CSP for Windows 10, version 1703.

January 2017

New or updated topic Description
Reboot CSP

RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work. Also updated the Note in RebootNow.

Device update management

Updated the following section:

SecureAssessment CSP

Updated in Windows 10, version 1703. Added the following settings

  • AllowTextSuggestions
  • PrintingCapability
  • ScreenCaptureCapability
DevDetail CSP

Updated in Windows 10, version 1703. Added the following setting: DeviceHardwareData

Messaging CSP

Added new CSP for Windows 10, version 1703. This CSP is only supported in Windows 10 Mobile and Mobile Enteprise editions.

Policy CSP

Added the following new policies for Windows 10, version 1703:

  • DeliveryOptimization/DOAllowVPNPeerCaching
  • DeliveryOptimization/DOMinDiskSizeAllowedToPeer
  • DeliveryOptimization/DOMinFileSizeToCache
  • DeliveryOptimization/DOMinRAMAllowedToPeer
  • EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
  • EnterpriseCloudPrint/CloudPrintOAuthAuthority
  • EnterpriseCloudPrint/CloudPrintOAuthClientId
  • EnterpriseCloudPrint/CloudPrintResourceId
  • EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
  • EnterpriseCloudPrint/MopriaDiscoveryResourceId
  • Messaging/AllowMMS
  • Messaging/AllowRCS
  • Privacy/LetAppsGetDiagnosticInfo
  • Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps
  • Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps
  • Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps
  • Privacy/LetAppsRunInBackground
  • Privacy/LetAppsRunInBackground_ForceAllowTheseApps
  • Privacy/LetAppsRunInBackground_ForceDenyTheseApps
  • Privacy/LetAppsRunInBackground_UserInControlOfTheseApps

Added the following new policy for the January service release of Windows 10, version 1607: Update/UpdateServiceUrlAlternate

Removed TextInput/AllowLinguisticDataCollection from Policy CSP in Windows 10 version 1703.

CleanPC CSP

Added new CSP for Windows 10, version 1703.

DeveloperSetup CSP

Added new CSP for Windows 10, version 1703.

Added a download of Windows 10 version 1607 DDF files

You can download the Windows 10 version 1607 DDF files from here.

DeviceStatus CSP

Added the following values for DeviceStatus/NetworkIdentifiers/MacAddress/Type setting:

  • 2 - WLAN (or other Wirless interface)
  • 1 - LAN (or other Wired interface)
  • 0 - Unknown

December, 2016

New or updated topic Description
Update CSP

Added the following nodes:

  • FailedUpdates/Failed Update Guid/RevisionNumber
  • InstalledUpdates/Installed Update Guid/RevisionNumber
  • PendingRebootUpdates/Pending Reboot Update Guid/RevisionNumber
AppLocker CSP

Added information about exempt applications list to the EnterpriseDataProtection setting.

EnterpriseDataProtection CSP

To Settings/RequireProtectionUnderLockConfig, added supported values.

CM_CellularEntries CSP

To PurposeGroups setting, added the following values Windows 10, version 1709:

  • Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB
  • Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364
CellularSettings CSP

CM_CellularEntries CSP

EnterpriseAPN CSP

In the Windows 10, version 1709, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.

Updated the DDF topics. The following DDF topics were updated:
Reporting CSP

Reporting/SecurityAuditing setting is not supported in Windows 10, version 1607 in the desktop editions.

November 2016

New or updated topic Description
EnterpriseAPN CSP

The EnterpriseAPN configuration service provider (CSP) is not supported in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), versions 1511 and 1607.

Defender CSP

Added the following values for Defender/Scan setting:

  • 1 - quick scan
  • 2 - full scan
EnterpriseDataProtection CSP

Added data recovery agent (DRA) information to Settings/DataRecoveryCertificate.

Disconnecting from the management infrastructure (unenrollment)

Added information about unenrollment from Azure Active Directory Join.

Policy CSP

Updated the description of the following policies.

October 27, 2016

New or updated topic Description
CM_ProxyEntries CSP

Support for OMA DM was added in Windows 10, version 1607

AppLocker CSP

Recommended deny list for Windows Information Protection - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.

October 21, 2016

New or updated topic Description
Policy CSP

Updated the most restricted values for the following policies:

  • Browser/AllowDoNotTrack
  • Browser/AllowPasswordManager
  • Browser/AllowPopups
  • Browser/AllowSmartScreen

October 6, 2016

New or updated topic Description

WindowsTeam CSP

Deleted the WindowsTeam CSP topic. You should use SurfaceHub instead.

Policy CSP

Added the following policies:

  • Search/DisableBackoff
  • Search/DisableRemovableDriveIndexing
  • Search/PreventIndexingLowDiskSpaceMB
  • Search/PreventRemoteQueries

September 29, 2016

New or updated topic Description
Policy CSP

Updated the following policy:

  • System/AllowBuildPreview - supported in Windows 10 Mobile and Windows 10 Mobile Enterprise
  • Experience/AllowThirdPartySuggestionsInWindowsSpotlight - supported in Windows 10 Pro.

September 22, 2016

New or updated topic Description
AppLocker CSP

Added the following note the the list of Inbox apps and components:

Note This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience.

ComputerName in Windows Provisioning settings reference

ComputerName does not support asterisk (*) and does not support empty string.

Policy CSP

Updated the supported values for Update/BranchReadinessLevel

Device update management

Updated the following section:

September 12, 2016

New or updated topic Description
Policy CSP

Added the following statement to Update/DeferUpdatePeriod policy:

In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:

  • Update/RequireDeferUpgrade must be set to 1
  • System/AllowTelemetry must be set to 1 or higher

Added new policy Experience/AllowThirdPartySuggestionsInWindowsSpotlight in Windows 10, version 1607.

September 8, 2016

New or updated topic Description
EnterpriseModernAppManagement CSP

Updated the names for the following settings:

  • AppInventoryQuery
  • AppInventoryResults
Policy CSP

Updated the following policy description:

System/AllowTelemetry

Allow the device to send diagnostic and usage telemetry data, such as Watson.

The following lists describe the supported values:

Windows 8.1 values

  • 0 – Not allowed
  • 1 – Allowed, except for Secondary Data Requests.
  • 2 (default) – Allowed.

Windows 10 values

  • 0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
    Note This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
  • 1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.
  • 2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.
  • 3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.
Important If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1.

Most restricted value is 0.

OMA DM protocol support

Updated the following description:

  • LocURI - Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
VPNv2 CSP

Updated the following description:

  • VPNv2/ProfileName - Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/).

    Supported operations include Get, Add, and Delete.

    Note If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
MDM Bridge WMI Provider

Replaced the descriptions for each class member with links to the corresponding node in the CSP topic. The CSP topics contain the most up-to-date information.

September 2, 2016

New or updated topic Description
Policy CSP

PolicyManager CSP

Added the following note:

  • You cannot disable or enable Contact Support and Windows Feedback apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the inbox apps.
PassportForWork CSP

Added the following note:

Important Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
ProfileXML XSD

Updated the Native profile example example.

Policy CSP

Device update management

The following policies are not supported in Windows 10 Mobile Enterprise:

  • DeferUpgradePeriod
  • DeferFeatureUpdatesPeriodInDays
  • PauseFeatureUpdates
  • ExcludeWUDrivers
Note Since these policies are not blocked, you will not get a failure message when you use them to configure a Windows 10 Mobile Enterprise device. However, the policies will not take effect.

Added additional information about update policies supported for Windows Update for Business in Changes in Windows 10, version 1607 for update management.

DevDetail CSP

In Ext/Microsoft/DeviceName node, the Replace operation is only supported in Windows 10 Mobile, and not supported in the desktop.

August 25, 2016

New or updated topic Description
Policy DDF file

Updated version for Windows 10, version 1607

MDM enrollment of Windows devices

Updated the section about enrolling in MDM on a desktop. Added a new section for enrolling in MDM on a phone.

August 18, 2016

New or updated topic Description
CertificateStore CSP

CertificateStore DDF file

Added the following new settings in Windows 10, version 1607:

  • My/WSTEP/Renew/LastRenewalAttemptTime
  • My/WSTEP/Renew/RenewNow

August 11, 2016

New or updated topic Description
Bulk enrollment

Added new section:

Azure Active Directory integration with MDM

Added a link to MDM enrollment templates and CSS files:

August 2, 2016

New or updated topic Description
OMA DM protocol support

Added a table of common SyncML response codes that occur during OMA DM sessions.

Mobile device enrollment

Updated the following section:

SUPL CSP

LocMasterSwitchDependencyNII setting is not deprecated. Removed the note that it's deprecated in Windows 10.

Push notification support for device management

Added the following section:

RemoteWipe CSP

Updated The Remote Wipe Process section. Added the following note:

Note On the desktop, the remote wipe effectively performs a factory reset and the PC does not retain any information about the command once the wipe completes. Any response from the device about the actual status or result of the command may be inconsistent and unreliable because the MDM information has been removed.
Bulk enrollment

Added new step-by-step guide for creating and applying provisioning packages.

FAQ

Can there be more than 1 MDM server to enroll and manage devices in Windows 10?
No. Only one MDM is allowed.

How do I set the maximum number of Azure Active Directory joined devices per user?

  1. Login to the portal as tenant admin: https://manage.windowsazure.com.
  2. Click Active Directory on the left pane.
  3. Choose your tenant.
  4. Click Configure.
  5. Set quota to unlimited.

    aad maximum joined devices

What is dmwappushsvc?

Entry Description
What is dmwappushsvc? It is a Windows service that ships in Windows 10 operating system as a part of the windows management platform. It is used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server.
What data is handled by dmwappushsvc? It is a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL.
How do I turn if off? The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this.