Managing new MDM settings in Windows 10 (version 1607)

Introduction

With the recent release of Windows 10 (version 1607), comes a whole bunch of new features including extensive built in mobile device management (MDM) capabilities.

mdm

How you manage those MDM settings is up to you. The following solutions are available to you and can be used to manage the new MDM settings in Windows 10 (version 1607).

To learn how to manage Windows 10 corporate devices via Azure AD, Microsoft System Center Configuration Manager, or Microsoft Intune see the following link.

What’s new in Windows 10, version 1607

The following link gives you a detailed list of what’s new (MDM settings) in 1607.

Item Description
Sideloading of apps Starting in Windows 10, version 1607, sideloading of apps is only allowed through EnterpriseModernAppManagement CSP. Product keys (5×5) will no longer be supported to enable sideloading on Windows 10, version 1607 devices.
New value for NodeCache CSP In NodeCache CSP, the value of NodeCache root node starting in Windows 10, version 1607 is com.microsoft/1.0/MDM/NodeCache.
EnterpriseDataProtection CSP New CSP.
Policy CSP Removed the following policies:

  • DataProtection/AllowAzureRMSForEDP – moved this policy to EnterpriseDataProtection CSP
  • DataProtection/AllowUserDecryption – moved this policy to EnterpriseDataProtection CSP
  • DataProtection/EDPEnforcementLevel – moved this policy to EnterpriseDataProtection CSP
  • DataProtection/RequireProtectionUnderLockConfig – moved this policy to EnterpriseDataProtection CSP
  • DataProtection/RevokeOnUnenroll – moved this policy to EnterpriseDataProtection CSP
  • DataProtection/EnterpriseCloudResources – moved this policy to NetworkIsolation policy
  • DataProtection/EnterpriseInternalProxyServers – moved this policy to NetworkIsolation policy
  • DataProtection/EnterpriseIPRange – moved this policy to NetworkIsolation policy
  • DataProtection/EnterpriseNetworkDomainNames – moved this policy to NetworkIsolation policy
  • DataProtection/EnterpriseProxyServers – moved this policy to NetworkIsolation policy
  • Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices – this policy has been deprecated.

Added the WiFi/AllowManualWiFiConfiguration and WiFi/AllowWiFi policies for Windows 10, version 1607:

  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 10 Education

Added the following new policies:

  • AboveLock/AllowCortanaAboveLock
  • ApplicationManagement/DisableStoreOriginatedApps
  • Authentication/AllowSecondaryAuthenticationDevice
  • Bluetooth/AllowPrepairing
  • Browser/AllowExtensions
  • Browser/PreventAccessToAboutFlagsInMicrosoftEdge
  • Browser/ShowMessageWhenOpeningSitesInInternetExplorer
  • DeliveryOptimization/DOAbsoluteMaxCacheSize
  • DeliveryOptimization/DOMaxDownloadBandwidth
  • DeliveryOptimization/DOMinBackgroundQoS
  • DeliveryOptimization/DOModifyCacheDrive
  • DeliveryOptimization/DOMonthlyUploadDataCap
  • DeliveryOptimization/DOPercentageMaxDownloadBandwidth
  • DeviceLock/EnforceLockScreenAndLogonImage
  • DeviceLock/EnforceLockScreenProvider
  • Defender/PUAProtection
  • Experience/AllowWindowsSpotlight
  • Experience/ConfigureWindowsSpotlightOnLockScreen
  • Experience/DoNotShowFeedbackNotifications
  • Licensing/AllowWindowsEntitlementActivation
  • Licensing/DisallowKMSClientOnlineAVSValidation
  • LockDown/AllowEdgeSwipe
  • Maps/EnableOfflineMapsAutoUpdate
  • Maps/AllowOfflineMapsDownloadOverMeteredConnection
  • Messaging/AllowMessageSync
  • NetworkIsolation/EnterpriseCloudResources
  • NetworkIsolation/EnterpriseInternalProxyServers
  • NetworkIsolation/EnterpriseIPRange
  • NetworkIsolation/EnterpriseIPRangesAreAuthoritative
  • NetworkIsolation/EnterpriseNetworkDomainNames
  • NetworkIsolation/EnterpriseProxyServers
  • NetworkIsolation/EnterpriseProxyServersAreAuthoritative
  • NetworkIsolation/NeutralResources
  • Notifications/DisallowNotificationMirroring
  • Privacy/DisableAdvertisingId
  • Privacy/LetAppsAccessAccountInfo
  • Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps
  • Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps
  • Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps
  • Privacy/LetAppsAccessCalendar
  • Privacy/LetAppsAccessCalendar_ForceAllowTheseApps
  • Privacy/LetAppsAccessCalendar_ForceDenyTheseApps
  • Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps
  • Privacy/LetAppsAccessCallHistory
  • Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps
  • Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps
  • Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps
  • Privacy/LetAppsAccessCamera
  • Privacy/LetAppsAccessCamera_ForceAllowTheseApps
  • Privacy/LetAppsAccessCamera_ForceDenyTheseApps
  • Privacy/LetAppsAccessCamera_UserInControlOfTheseApps
  • Privacy/LetAppsAccessContacts
  • Privacy/LetAppsAccessContacts_ForceAllowTheseApps
  • Privacy/LetAppsAccessContacts_ForceDenyTheseApps
  • Privacy/LetAppsAccessContacts_UserInControlOfTheseApps
  • Privacy/LetAppsAccessEmail
  • Privacy/LetAppsAccessEmail_ForceAllowTheseApps
  • Privacy/LetAppsAccessEmail_ForceDenyTheseApps
  • Privacy/LetAppsAccessEmail_UserInControlOfTheseApps
  • Privacy/LetAppsAccessLocation
  • Privacy/LetAppsAccessLocation_ForceAllowTheseApps
  • Privacy/LetAppsAccessLocation_ForceDenyTheseApps
  • Privacy/LetAppsAccessLocation_UserInControlOfTheseApps
  • Privacy/LetAppsAccessMessaging
  • Privacy/LetAppsAccessMessaging_ForceAllowTheseApps
  • Privacy/LetAppsAccessMessaging_ForceDenyTheseApps
  • Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps
  • Privacy/LetAppsAccessMicrophone
  • Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps
  • Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps
  • Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps
  • Privacy/LetAppsAccessMotion
  • Privacy/LetAppsAccessMotion_ForceAllowTheseApps
  • Privacy/LetAppsAccessMotion_ForceDenyTheseApps
  • Privacy/LetAppsAccessMotion_UserInControlOfTheseApps
  • Privacy/LetAppsAccessNotifications
  • Privacy/LetAppsAccessNotifications_ForceAllowTheseApps
  • Privacy/LetAppsAccessNotifications_ForceDenyTheseApps
  • Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps
  • Privacy/LetAppsAccessPhone
  • Privacy/LetAppsAccessPhone_ForceAllowTheseApps
  • Privacy/LetAppsAccessPhone_ForceDenyTheseApps
  • Privacy/LetAppsAccessPhone_UserInControlOfTheseApps
  • Privacy/LetAppsAccessRadios
  • Privacy/LetAppsAccessRadios_ForceAllowTheseApps
  • Privacy/LetAppsAccessRadios_ForceDenyTheseApps
  • Privacy/LetAppsAccessRadios_UserInControlOfTheseApps
  • Privacy/LetAppsAccessTrustedDevices
  • Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps
  • Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps
  • Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps
  • Privacy/LetAppsSyncWithDevices
  • Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps
  • Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps
  • Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps
  • Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
  • Settings/AllowEditDeviceName
  • Speech/AllowSpeechModelUpdate
  • System/TelemetryProxy
  • Update/ActiveHoursStart
  • Update/ActiveHoursEnd
  • Update/AllowMUUpdateService
  • Update/BranchReadinessLevel
  • Update/DeferFeatureUpdatePeriodInDays
  • Update/DeferQualityUpdatePeriodInDays
  • Update/ExcludeWUDriversInQualityUpdate
  • Update/PauseFeatureUpdates
  • Update/PauseQualityUpdates
  • WindowsInkWorkspace/AllowWindowsInkWorkspace
  • WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace
  • WirelessDisplay/AllowProjectionToPC
  • WirelessDisplay/RequirePinForPairing

Updated the Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts description to remove outdated information.

Updated DeliveryOptimization/DODownloadMode to add new values.

Updated Experience/AllowCortana description to clarify what each supported value does.

Updated Security/AntiTheftMode description to clarify what each supported value does.

DMClient CSP Added the following settings:

  • ManagementServerAddressList
  • AADDeviceID
  • EnrollmentType
  • HWDevID
  • CommercialID

Removed the EnrollmentID setting.

Reporting CSP Added support for SecurityAuditing settings for the desktop.
DeviceManageability CSP New CSP.
DeviceStatus CSP Added the following new settings:

  • DeviceStatus/TPM/SpecificationVersion
  • DeviceStatus/OS/Edition
  • DeviceStatus/Antivirus/SignatureStatus
  • DeviceStatus/Antivirus/Status
  • DeviceStatus/Antispyware/SignatureStatus
  • DeviceStatus/Antispyware/Status
  • DeviceStatus/Firewall/Status
  • DeviceStatus/UAC/Status
  • DeviceStatus/Battery/Status
  • DeviceStatus/Battery/EstimatedChargeRemaining
  • DeviceStatus/Battery/EstimatedRuntime
AssignedAccess CSP Added SyncML examples.
EnterpriseAssignedAccess CSP
  • Added a new Folder table entry in the AssignedAccess/AssignedAccessXml description.
  • Updated the DDF and XSD file sections.
SecureAssessment CSP New CSP for Windows 10, version 1607
DiagnosticLog CSPDiagnosticLog DDF Added version 1.3 of the CSP with two new settings. Added the new 1.3 version of the DDF. Added the following new settings in Windows 10, version 1607.

  • DeviceStateData
  • DeviceStateData/MdmConfiguration
Reboot CSP New CSP for Windows 10, version 1607
CMPolicyEnterprise CSP New CSP for Windows 10, version 1607
VPNv2 CSP Added the following settings for Windows 10, version 1607

  • ProfileName/RouteList/routeRowId/ExclusionRoute
  • ProfileName/DomainNameInformationList/dniRowId/AutoTrigger
  • ProfileName/DomainNameInformationList/dniRowId/Persistent
  • ProfileName/ProfileXML
  • ProfileName/DeviceCompliance/Enabled
  • ProfileName/DeviceCompliance/Sso
  • ProfileName/DeviceCompliance/Sso/Enabled
  • ProfileName/DeviceCompliance/Sso/IssuerHash
  • ProfileName/DeviceCompliance/Sso/Eku
  • ProfileName/NativeProfile/CryptographySuite
  • ProfileName/NativeProfile/CryptographySuite/AuthenticationTransformConstants
  • ProfileName/NativeProfile/CryptographySuite/CipherTransformConstants
  • ProfileName/NativeProfile/CryptographySuite/EncryptionMethod
  • ProfileName/NativeProfile/CryptographySuite/IntegrityCheckMethod
  • ProfileName/NativeProfile/CryptographySuite/DHGroup
  • ProfileName/NativeProfile/CryptographySuite/PfsGroup
  • ProfileName/NativeProfile/L2tpPsk
Win32AppInventory CSP Win32AppInventory DDF New CSP for Windows 10, version 1607.
SharedPC CSP New CSP for Windows 10, version 1607.
WindowsAdvancedThreatProtection CSP New CSP for Windows 10, version 1607.
WindowsTeam CSP New CSP for Windows 10, version 1607.
MDM Bridge WMI Provider Added new classes for Windows 10, version 1607.
MDM enrollment of Windows devices Topic renamed from “Enrollment UI”.

Completely updated enrollment procedures and screenshots.

UnifiedWriteFilter CSPUnifiedWriteFilter DDF File Added the following new setting for Windows 10, version 1607:

  • NextSession/HORMEnabled

cheers

niall

This entry was posted in 1607, 1607, Azure AD, Intune, MDM settings, Windows 10. Bookmark the permalink.

One Response to Managing new MDM settings in Windows 10 (version 1607)

  1. Pingback: Managing Windows 10 PCs with Intune | just another windows noob ?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.