What's new in mobile device enrollment and management

Article
08/07/2024
Applies to:

✅ Windows 11, ✅ Windows 10

This article provides information about what's new in mobile device management (MDM) enrollment and management experience across all Windows devices. This article also provides details about the breaking changes and known issues and frequently asked questions.

For details about Microsoft mobile device management protocols for Windows, see [MS-MDM]: Mobile Device Management Protocol and [MS-MDE2]: Mobile Device Enrollment Protocol Version 2.

What's new in MDM for Windows 11, version 22H2

New or updated article	Description
DeviceStatus	Added the following node: MDMClientCertAttestation
eUUICs	Added the following node: IsDiscoveryServer
PersonalDataEncryption	New CSP
Policy CSP	Added the following nodes: Accounts/RestrictToEnterpriseDeviceAuthenticationOnly DesktopAppInstaller/EnableAdditionalSources DesktopAppInstaller/EnableAllowedSources DesktopAppInstaller/EnableAppInstaller DesktopAppInstaller/EnableDefaultSource DesktopAppInstaller/EnableExperimentalFeatures DesktopAppInstaller/EnableHashOverride DesktopAppInstaller/EnableLocalManifestFiles DesktopAppInstaller/EnableMicrosoftStoreSource DesktopAppInstaller/EnableMSAppInstallerProtocol DesktopAppInstaller/EnableSettings DesktopAppInstaller/SourceAutoUpdateInterval Education/EnableEduThemes Experience/AllowSpotlightCollectionOnDesktop FileExplorer/DisableGraphRecentItems HumanPresence/ForceInstantDim InternetExplorer/EnableGlobalWindowListInIEMode InternetExplorer/HideIEAppRetirementNotification InternetExplorer/ResetZoomForDialogInIEMode LocalSecurityAuthority/AllowCustomSSPsAPs LocalSecurityAuthority/ConfigureLsaProtectedProcess MixedReality/AllowCaptivePortalBeforeLogon MixedReality/AllowLaunchUriInSingleAppKiosk MixedReality/AutoLogonUser MixedReality/ConfigureMovingPlatform MixedReality/ConfigureNtpClient MixedReality/ManualDownDirectionDisabled MixedReality/NtpClientEnabled MixedReality/SkipCalibrationDuringSetup MixedReality/SkipTrainingDuringSetup NetworkListManager/AllowedTlsAuthenticationEndpoints NetworkListManager/ConfiguredTLSAuthenticationNetworkName Printers/ConfigureCopyFilesPolicy Printers/ConfigureDriverValidationLevel Printers/ConfigureIppPageCountsPolicy Printers/ConfigureRedirectionGuard Printers/ConfigureRpcConnectionPolicy Printers/ConfigureRpcListenerPolicy Printers/ConfigureRpcTcpPort Printers/ManageDriverExclusionList Printers/RestrictDriverInstallationToAdministrators RemoteDesktopServices/DoNotAllowWebAuthnRedirection Search/AllowSearchHighlights Search/DisableSearch SharedPC/EnableSharedPCModeWithOneDriveSync Start/DisableControlCenter Start/DisableEditingQuickSettings Start/HideRecommendedSection Start/HideTaskViewButton Start/SimplifyQuickSettings Stickers/EnableStickers Textinput/allowimenetworkaccess Update/NoUpdateNotificationDuringActiveHours WebThreatDefense/EnableService WebThreatDefense/NotifyMalicious WebThreatDefense/NotifyPasswordReuse WebThreatDefense/NotifyUnsafeApp Windowslogon/EnableMPRNotifications
SecureAssessment	Added the following node: Assessments
WindowsAutopilot	Added the following node: HardwareMismatchRemediationData

What's new in MDM for Windows 11, version 21H2

New or updated article	Description
Policy CSP	Added the following nodes: Kerberos/PKInitHashAlgorithmConfiguration Kerberos/PKInitHashAlgorithmSHA1 Kerberos/PKInitHashAlgorithmSHA256 Kerberos/PKInitHashAlgorithmSHA384 Kerberos/PKInitHashAlgorithmSHA512 NewsAndInterests/AllowNewsAndInterests Experiences/ConfigureChatIcon Start/ConfigureStartPins Virtualizationbasedtechnology/HypervisorEnforcedCodeIntegrity Virtualizationbasedtechnology/RequireUEFIMemoryAttributesTable
DMClient CSP	Updated the description of the following nodes: Provider/ProviderID/ConfigLock/Lock Provider/ProviderID/ConfigLock/UnlockDuration Provider/ProviderID/ConfigLock/SecuredCore
PrinterProvisioning	New CSP

What's new in MDM for Windows 10, version 20H2

New or updated article	Description
Policy CSP	Added the following nodes: Experience/DisableCloudOptimizedContent LocalUsersAndGroups/Configure MixedReality/AADGroupMembershipCacheValidityInDays MixedReality/BrightnessButtonDisabled MixedReality/FallbackDiagnostics MixedReality/MicrophoneDisabled MixedReality/VolumeButtonDisabled Multitasking/BrowserAltTabBlowout
SurfaceHub CSP	Added the following new node: Properties/SleepMode
WindowsDefenderApplicationGuard CSP	Updated the description of the following node: Settings/AllowWindowsDefenderApplicationGuard

What's new in MDM for Windows 10, version 2004

New or updated article	Description
Policy CSP	Added the following nodes: ApplicationManagement/BlockNonAdminUserInstall Bluetooth/SetMinimumEncryptionKeySize DeliveryOptimization/DOCacheHostSource DeliveryOptimization/DOMaxBackgroundDownloadBandwidth DeliveryOptimization/DOMaxForegroundDownloadBandwidth Education/AllowGraphingCalculator TextInput/ConfigureJapaneseIMEVersion TextInput/ConfigureSimplifiedChineseIMEVersion TextInput/ConfigureTraditionalChineseIMEVersion Updated the following policy: DeliveryOptimization/DOCacheHost Deprecated the following policies: DeliveryOptimization/DOMaxDownloadBandwidth DeliveryOptimization/DOMaxUploadBandwidth DeliveryOptimization/DOPercentageMaxDownloadBandwidth
DevDetail CSP	Added the following new node: Ext/Microsoft/DNSComputerName
EnterpriseModernAppManagement CSP	Added the following node: IsStub
SUPL CSP	Added the following node: FullVersion

What's new in MDM for Windows 10, version 1909

New or updated article	Description
BitLocker CSP	Added the following nodes: ConfigureRecoveryPasswordRotation RotateRecoveryPasswords RotateRecoveryPasswordsStatus RotateRecoveryPasswordsRequestID

What's new in MDM for Windows 10, version 1903

New or updated article	Description
Policy CSP	Added the following nodes: DeliveryOptimization/DODelayCacheServerFallbackBackground DeliveryOptimization/DODelayCacheServerFallbackForeground DeviceHealthMonitoring/AllowDeviceHealthMonitoring DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs Experience/ShowLockOnUserTile InternetExplorer/AllowEnhancedSuggestionsInAddressBar InternetExplorer/DisableActiveXVersionListAutoDownload InternetExplorer/DisableCompatView InternetExplorer/DisableFeedsBackgroundSync InternetExplorer/DisableGeolocation InternetExplorer/DisableWebAddressAutoComplete InternetExplorer/NewTabDefaultPage Power/EnergySaverBatteryThresholdOnBattery Power/EnergySaverBatteryThresholdPluggedIn Power/SelectLidCloseActionOnBatterybr> Power/SelectLidCloseActionPluggedIn Power/SelectPowerButtonActionOnBattery Power/SelectPowerButtonActionPluggedIn Power/SelectSleepButtonActionOnBattery Power/SelectSleepButtonActionPluggedIn Power/TurnOffHybridSleepOnBattery Power/TurnOffHybridSleepPluggedIn Power/UnattendedSleepTimeoutOnBattery Power/UnattendedSleepTimeoutPluggedIn Privacy/LetAppsActivateWithVoice Privacy/LetAppsActivateWithVoiceAboveLock Search/AllowFindMyFiles ServiceControlManager/SvchostProcessMitigation System/AllowCommercialDataPipelinebr> System/TurnOffFileHistory TimeLanguageSettings/ConfigureTimeZonebr> Troubleshooting/AllowRecommendations Update/AutomaticMaintenanceWakeUp Update/ConfigureDeadlineForFeatureUpdates Update/ConfigureDeadlineForQualityUpdates Update/ConfigureDeadlineGracePeriod WindowsLogon/AllowAutomaticRestartSignOn WindowsLogon/ConfigAutomaticRestartSignOn WindowsLogon/EnableFirstLogonAnimation
Policy CSP - Audit	Added the new Audit policy CSP.
ApplicationControl CSP	Added the new CSP.
Defender CSP	Added the following new nodes: Health/TamperProtectionEnabled Health/IsVirtualMachine Configuration Configuration/TamperProtection Configuration/EnableFileHashComputation
DiagnosticLog CSP DiagnosticLog DDF	Added version 1.4 of the CSP. Added the new 1.4 version of the DDF. Added the following new nodes: Policy Policy/Channels Policy/Channels/ChannelName Policy/Channels/ChannelName/MaximumFileSize Policy/Channels/ChannelName/SDDL Policy/Channels/ChannelName/ActionWhenFull Policy/Channels/ChannelName/Enabled DiagnosticArchive DiagnosticArchive/ArchiveDefinition DiagnosticArchive/ArchiveResults
EnrollmentStatusTracking CSP	Added the new CSP.
PassportForWork CSP	Added the following new nodes: SecurityKey SecurityKey/UseSecurityKeyForSignin

What's new in MDM for Windows 10, version 1809

New or updated article	Description
Policy CSP	Added the following nodes: ApplicationManagement/LaunchAppAfterLogOn ApplicationManagement/ScheduleForceRestartForUpdateFailures Authentication/EnableFastFirstSignIn (Preview mode only Authentication/EnableWebSignIn (Preview mode only Authentication/PreferredAadTenantDomainName Browser/AllowFullScreenMode Browser/AllowPrelaunch Browser/AllowPrinting Browser/AllowSavingHistory Browser/AllowSideloadingOfExtensions Browser/AllowTabPreloading Browser/AllowWebContentOnNewTabPage Browser/ConfigureFavoritesBar Browser/ConfigureHomeButton Browser/ConfigureKioskMode Browser/ConfigureKioskResetAfterIdleTimeout Browser/ConfigureOpenMicrosoftEdgeWith Browser/ConfigureTelemetryForMicrosoft365Analytics Browser/PreventCertErrorOverrides Browser/SetHomeButtonURL Browser/SetNewTabPageURL Browser/UnlockHomeButton Defender/CheckForSignaturesBeforeRunningScan Defender/DisableCatchupFullScan Defender/DisableCatchupQuickScan Defender/EnableLowCPUPriority Defender/SignatureUpdateFallbackOrder Defender/SignatureUpdateFileSharesSources DeviceGuard/ConfigureSystemGuardLaunch DeviceInstallation/AllowInstallationOfMatchingDeviceIDs DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses DeviceInstallation/PreventDeviceMetadataFromNetwork DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings DmaGuard/DeviceEnumerationPolicy Experience/AllowClipboardHistory Experience/DoNotSyncBrowserSettings Experience/PreventUsersFromTurningOnBrowserSyncing Kerberos/UPNNameHints Privacy/AllowCrossDeviceClipboard Privacy/DisablePrivacyExperience Privacy/UploadUserActivities Security/RecoveryEnvironmentAuthentication System/AllowDeviceNameInDiagnosticData System/ConfigureMicrosoft365UploadEndpoint System/DisableDeviceDelete System/DisableDiagnosticDataViewer Storage/RemovableDiskDenyWriteAccess TaskManager/AllowEndTask Update/DisableWUfBSafeguards Update/EngagedRestartDeadlineForFeatureUpdates Update/EngagedRestartSnoozeScheduleForFeatureUpdates Update/EngagedRestartTransitionScheduleForFeatureUpdates Update/SetDisablePauseUXAccess Update/SetDisableUXWUAccess WindowsDefenderSecurityCenter/DisableClearTpmButton WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl WindowsLogon/DontDisplayNetworkSelectionUI
BitLocker CSP	Added a new node AllowStandardUserEncryption. Added support for Pro edition.
Defender CSP	Added a new node Health/ProductStatus.
DevDetail CSP	Added a new node SMBIOSSerialNumber.
EnterpriseModernAppManagement CSP	Added Non-Removable setting under AppManagement node.
Office CSP	Added FinalStatus setting.
PassportForWork CSP	Added new settings.
RemoteWipe CSP	Added new settings.
SUPL CSP	Added three new certificate nodes.
TenantLockdown CSP	Added new CSP.
Wifi CSP	Added a new node WifiCost.
WindowsDefenderApplicationGuard CSP	Added new settings.
WindowsLicensing CSP	Added S mode settings and SyncML examples.
Win32CompatibilityAppraiser CSP	New CSP.

Additional resources

Documentation

Mobile Device Management overview

Windows provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy.
[MS-MDE2]: Mobile Device Enrollment Protocol Version 2

Specifies version 2 of the Mobile Device Enrollment Protocol (MDE), which enables enrolling a device with the DMS through an
[MS-MDM]: Mobile Device Management Protocol

Specifies the Mobile Device Management Protocol (MDM), a subset of the Open Mobile Association (OMA) standard protocol,
Enterprise settings and policy management

The DMClient manages the interaction between a device and a server. Learn more about the client-server management workflow.
Mobile device enrollment

Learn how mobile device enrollment verifies that only authenticated and authorized devices are managed by the enterprise.
Support for Windows Information Protection (WIP) on Windows

Learn about implementing the Windows version of Windows Information Protection (WIP), which is a lightweight solution for managing company data access and security on personal devices.
Disconnecting from the management infrastructure (unenrollment)

Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server.
Manage Windows devices in your organization - transitioning to modern management

This article offers strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment.

Training

Learning path

MD-100 Manage apps and Windows updates - Training

MD-100 Manage apps and Windows updates

Certification

Microsoft 365 Certified: Endpoint Administrator Associate - Certifications

Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.

Share via