From 002b09d9c7e84765c10275f146299c227478d6aa Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Tue, 5 Apr 2022 10:10:34 +0530 Subject: [PATCH] CSP Windows 11 updates -part 4 Updated as per task : 5864419. Thanks! --- .../mdm/enrollmentstatustracking-csp.md | 64 ++- .../mdm/enterpriseapn-csp.md | 130 +++--- .../mdm/enterpriseappmanagement-csp.md | 42 +- .../mdm/enterprisedataprotection-csp.md | 96 ++-- .../mdm/enterprisedesktopappmanagement-csp.md | 66 ++- .../mdm/enterprisemodernappmanagement-csp.md | 233 +++++----- windows/client-management/mdm/euiccs-csp.md | 73 ++- windows/client-management/mdm/firewall-csp.md | 414 ++++++++++-------- .../mdm/healthattestation-csp.md | 260 +++++------ .../client-management/mdm/messaging-csp.md | 43 +- 10 files changed, 768 insertions(+), 653 deletions(-) diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md index 3b4e865ccb..63b1aafdd5 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md @@ -11,13 +11,22 @@ ms.date: 05/21/2019 # EnrollmentStatusTracking CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device use until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar to configure ESP for blocking the device use until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](/windows/deployment/windows-autopilot/enrollment-status). -ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track the installation of different apps. The EnrollmentStatusTracking CSP tracks Win32 apps installations and DMClient CSP tracks MSI and Universal Windows Platform apps installations. In DMClient CSP, the **FirstSyncStatus/ExpectedMSIAppPackages** and **FirstSyncStatus/ExpectedModernAppPackages** nodes list the apps to track their installation. See [DMClient CSP](dmclient-csp.md) for more information. +ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track the installation of different apps. The EnrollmentStatusTracking CSP tracks Win32 apps installations and DMClient CSP tracks MSI and Universal Windows Platform apps installations. In DMClient CSP, the **FirstSyncStatus/ExpectedMSIAppPackages** and **FirstSyncStatus/ExpectedModernAppPackages** nodes list the apps to track their installation. For more information, see [DMClient CSP](dmclient-csp.md). The EnrollmentStatusTracking CSP was added in Windows 10, version 1903. - The following shows the EnrollmentStatusTracking CSP in tree format. ``` ./User/Vendor/MSFT @@ -59,6 +68,7 @@ EnrollmentStatusTracking ------------------------RebootRequired --------HasProvisioningCompleted ``` + **./Vendor/MSFT** For device context, use **./Device/Vendor/MSFT** path and for user context, use **./User/Vendor/MSFT** path. @@ -93,10 +103,11 @@ Communicates the policy provider installation state back to ESP. Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. Value type is integer. Expected values are as follows: -- 1 — NotInstalled -- 2 — NotRequired -- 3 — Completed -- 4 — Error + +- 1—NotInstalled +- 2—NotRequired +- 3—Completed +- 4—Error **EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/LastError** Required. This node is supported only in device context. @@ -127,8 +138,9 @@ This node specifies if the policy provider is registered for app provisioning. Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. Value type is boolean. Expected values are as follows: -- false — Indicates that the policy provider is not registered for app provisioning. This is the default. -- true — Indicates that the policy provider is registered for app provisioning. + +- false—Indicates that the policy provider isn't registered for app provisioning. This is the default. +- true—Indicates that the policy provider is registered for app provisioning. **EnrollmentStatusTracking/Setup** Required. This node is supported in both user context and device context. @@ -150,7 +162,7 @@ Scope is permanent. Supported operation is Get. **EnrollmentStatusTracking/Setup/Apps/PolicyProviders**/***ProviderName*** Optional. This node is supported in both user context and device context. -Represents an app policy provider for the ESP. Existence of this node indicates to the ESP that it should not show the tracking status message until the TrackingPoliciesCreated node has been set to true. +Represents an app policy provider for the ESP. Existence of this node indicates to the ESP that it shouldn't show the tracking status message until the TrackingPoliciesCreated node has been set to true. Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. @@ -161,8 +173,9 @@ Indicates if the provider has created the required policies for the ESP to use f Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. Value type is boolean. The expected values are as follows: -- true — Indicates that the provider has created the required policies. -- false — Indicates that the provider has not created the required policies. This is the default. + +- true—Indicates that the provider has created the required policies. +- false—Indicates that the provider hasn't created the required policies. This is the default. **EnrollmentStatusTracking/Setup/Apps/Tracking** Required. This node is supported in both user context and device context. @@ -178,7 +191,7 @@ Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. **EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/_AppName_** Optional. This node is supported in both user context and device context. -Represents a unique name for the app whose progress should be tracked by the ESP. The policy provider can define any arbitrary app name as ESP does not use the app name directly. +Represents a unique name for the app whose progress should be tracked by the ESP. The policy provider can define any arbitrary app name as ESP doesn't use the app name directly. Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. @@ -189,21 +202,23 @@ Represents the installation state for the app. The policy providers (not the MDM Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. Value type is integer. Expected values are as follows: -- 1 — NotInstalled -- 2 — InProgress -- 3 — Completed -- 4 — Error + +- 1—NotInstalled +- 2—InProgress +- 3—Completed +- 4—Error **EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/*AppName*/RebootRequired** Optional. This node is supported in both user context and device context. -Indicates if the app installation requires ESP to issue a reboot. The policy providers installing the app (not the MDM server) must set this node. If the policy providers do not set this node, the ESP will not reboot the device for the app installation. +Indicates if the app installation requires ESP to issue a reboot. The policy providers installing the app (not the MDM server) must set this node. If the policy providers don't set this node, the ESP won't reboot the device for the app installation. Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. Value type is integer. Expected values are as follows: -- 1 — NotRequired -- 2 — SoftReboot -- 3 — HardReboot + +- 1—NotRequired +- 2—SoftReboot +- 3—HardReboot **EnrollmentStatusTracking/Setup/HasProvisioningCompleted** Required. This node is supported in both user context and device context. @@ -212,5 +227,10 @@ ESP sets this node when it completes. Providers can query this node to determine Scope is permanent. Supported operation is Get. Value type is boolean. Expected values are as follows: -- true — Indicates that ESP has completed. This is the default. -- false — Indicates that ESP is displayed, and provisioning is still going. \ No newline at end of file + +- true—Indicates that ESP has completed. This is the default. +- false—Indicates that ESP is displayed, and provisioning is still going. + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index 2b50af966e..b279b0bc1e 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseAPN CSP -description: The EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet. +description: Learn how the EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet. ms.assetid: E125F6A5-EE44-41B1-A8CC-DF295082E6B2 ms.reviewer: manager: dansimp @@ -14,10 +14,20 @@ ms.date: 09/22/2017 # EnterpriseAPN CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The EnterpriseAPN configuration service provider (CSP) is used by the enterprise to provision an APN for the Internet. > [!Note] -> Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions. +> Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10/Windows 11 Home, Pro, Enterprise, and Education editions. The following shows the EnterpriseAPN configuration service provider in tree format. ``` @@ -39,111 +49,112 @@ EnterpriseAPN --------HideView ``` **EnterpriseAPN** -

The root node for the EnterpriseAPN configuration service provider.

+The root node for the EnterpriseAPN configuration service provider. **EnterpriseAPN/***ConnectionName* -

Name of the connection as seen by Windows Connection Manager.

+Name of the connection as seen by Windows Connection Manager. -

Supported operations are Add, Get, Delete, and Replace.

+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/APNName** -

Enterprise APN name.

+Enterprise APN name. -

Supported operations are Add, Get, Delete, and Replace.

+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/IPType** -

This value can be one of the following:

+This value can be one of the following: -- IPv4 - only IPV4 connection type -- IPv6 - only IPv6 connection type -- IPv4v6 (default)- IPv4 and IPv6 concurrently. -- IPv4v6xlat - IPv6 with IPv4 provided by 46xlat +- IPv4 - only IPV4 connection type. +- IPv6 - only IPv6 connection type. +- IPv4v6 (default)- IPv4 and IPv6 concurrently. +- IPv4v6xlat - IPv6 with IPv4 provided by 46xlat. -

Supported operations are Add, Get, Delete, and Replace.

+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/IsAttachAPN** -

Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.

+Boolean value that indicates whether this APN should be requested as part of an LTE Attach. -

Supported operations are Add, Get, Delete, and Replace.

+Default value is false. + +Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/ClassId** -

GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.

+GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting isn't present. It's only required when IsAttachAPN is true and the attach APN isn't only used as the Internet APN. -

Supported operations are Add, Get, Delete, and Replace.

+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/AuthType** -

Authentication type. This value can be one of the following:

+Authentication type. This value can be one of the following: -- None (default) -- Auto -- PAP -- CHAP -- MSCHAPv2 +- None (default) +- Auto +- PAP +- CHAP +- MSCHAPv2 -

Supported operations are Add, Get, Delete, and Replace.

+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/UserName** -

User name for use with PAP, CHAP, or MSCHAPv2 authentication.

+User name for use with PAP, CHAP, or MSCHAPv2 authentication. -

Supported operations are Add, Get, Delete, and Replace.

+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/Password** -

Password corresponding to the username.

+Password corresponding to the username. -

Supported operations are Add, Get, Delete, and Replace.

+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/IccId** -

Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node is not present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.

+Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node isn't present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data. -

Supported operations are Add, Get, Delete, and Replace.

+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/AlwaysOn** -

Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.

+Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available. -

The default value is true.

+The default value is true. -

Supported operations are Add, Get, Delete, and Replace.

+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/Enabled** -

Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.

+Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled. -

The default value is true.

+The default value is true. -

Supported operations are Add, Get, Delete, and Replace.

+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/Roaming** -

Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:

+Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values are: - +- 0 - Disallowed +- 1 - Allowed +- 2 - DomesticRoaming +- 3 - UseOnlyForDomesticRoaming +- 4 - UseOnlyForNonDomesticRoaming +- 5 - UseOnlyForRoaming -

Default is 1 (all roaming allowed).

+Default is 1 (all roaming allowed). -

Value type is string. Supported operations are Add, Get, Delete, and Replace.

+Value type is string. +Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/Settings** -

Added in Windows 10, version 1607. Node that contains global settings.

+Added in Windows 10, version 1607. Node that contains global settings. **EnterpriseAPN/Settings/AllowUserControl** -

Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.

+Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN. -

The default value is false.

+The default value is false. -

Supported operations are Get and Replace.

+Supported operations are Get and Replace. **EnterpriseAPN/Settings/HideView** -

Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.

+Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true. -

The default value is false.

+The default value is false. -

Supported operations are Get and Replace.

+Supported operations are Get and Replace. ## Examples @@ -290,15 +301,4 @@ atomicZ ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md index 4192b8bdcc..6893031aed 100644 --- a/windows/client-management/mdm/enterpriseappmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseAppManagement CSP -description: Handle enterprise application management tasks using EnterpriseAppManagement configuration service provider (CSP). +description: Learn how to handle enterprise application management tasks using EnterpriseAppManagement configuration service provider (CSP). ms.assetid: 698b8bf4-652e-474b-97e4-381031357623 ms.reviewer: manager: dansimp @@ -14,12 +14,10 @@ ms.date: 06/26/2017 # EnterpriseAppManagement CSP - The EnterpriseAppManagement enterprise configuration service provider is used to handle enterprise application management tasks such as installing an enterprise application token, the first auto-downloadable app link, querying installed enterprise applications (name and version), auto updating already installed enterprise applications, and removing all installed enterprise apps (including the enterprise app token) during unenrollment. > [!NOTE] > The EnterpriseAppManagement CSP is only supported in Windows 10 IoT Core. - The following shows the EnterpriseAppManagement configuration service provider in tree format. @@ -52,7 +50,7 @@ EnterpriseAppManagement ``` ***EnterpriseID*** -Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications. +Optional. A dynamic node that represents the EnterpriseID as a GUID. It's used to enroll or unenroll enterprise applications. Supported operations are Add, Delete, and Get. @@ -84,8 +82,6 @@ Supported operations are Get and Add. > [!NOTE] > Do NOT use Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00. The server must replace this value in the supplied client certificate. If your server returns a client certificate containing the same Subject value, this can cause unexpected behavior. The server should always override the subject value and not use the default device-provided Device ID Subject= Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00 - - ***EnterpriseID*/Status** Required. The integer value that indicates the current status of the application enrollment. Valid values are 0 (ENABLED), 1 (INSTALL\_DISABLED), 2 (REVOKED), and 3 (INVALID). Scope is dynamic. @@ -168,7 +164,7 @@ Required. The integer value that indicates the status of the current download pr |4: INSTALLING|Handed off for installation.| |5: INSTALLED|Successfully installed| |6: FAILED|Application was rejected (not signed properly, bad XAP format, not enrolled properly, etc.)| -|7:DOWNLOAD_FAILED|Unable to connect to server, file doesn't exist, etc.| +|7: DOWNLOAD_FAILED|Unable to connect to server, file doesn't exist, etc.| Scope is dynamic. Supported operations are Get, Add, and Replace. @@ -187,14 +183,13 @@ Supported operation is Exec. ## Remarks - ### Install and Update Line of Business (LOB) applications -A workplace can automatically install and update Line of Business applications during a management session. Line of Business applications support a variety of file types including XAP (8.0 and 8.1), AppX, and AppXBundles. A workplace can also update applications from XAP file formats to Appx and AppxBundle formats through the same channel. For more information, see the Examples section. +A workplace can automatically install and update Line of Business applications during a management session. Line of Business applications supports various file types including XAP (8.0 and 8.1), AppX, and AppXBundles. A workplace can also update applications from XAP file formats to Appx and AppxBundle formats through the same channel. For more information, see the Examples section. ### Uninstall Line of Business (LOB) applications -A workplace can also remotely uninstall Line of Business applications on the device. It is not possible to use this mechanism to uninstall Store applications on the device or Line of Business applications that are not installed by the enrolled workplace (for side-loaded application scenarios). For more information, see the Examples section +A workplace can also remotely uninstall Line of Business applications on the device. It isn't possible to use this mechanism to uninstall Store applications on the device or Line of Business applications that aren't installed by the enrolled workplace (for side-loaded application scenarios). For more information, see the Examples section ### Query installed Store application @@ -240,25 +235,18 @@ Response from the device (it contains list of subnodes if this app is installed All node values under the ProviderID interior node represent the policy values that the management server wants to set. -- An Add or Replace command on those nodes returns success in both of the following cases: - - - The value is actually applied to the device. - - - The value isn’t applied to the device because the device has a more secure value set already. - +- An Add or Replace command on those nodes returns success in both of the following cases: + - The value is applied to the device. + - The value isn’t applied to the device because the device has a more secure value set already. From a security perspective, the device complies with the policy request that is at least as secure as the one requested. - -- A Get command on those nodes returns the value that the server pushes down to the device. - -- If a Replace command fails, the node value is set to be the previous value before Replace command was applied. - -- If an Add command fails, the node is not created. +- A Get command on those nodes returns the value that the server pushes down to the device. +- If a Replace command fails, the node value is set to be the previous value before Replace command was applied. +- If an Add command fails, the node is not created. The value actually applied to the device can be queried via the nodes under the DeviceValue interior node. ## OMA DM examples - Enroll enterprise ID “4000000001” for the first time: ```xml @@ -427,18 +415,15 @@ Response from the device (that contains two installed applications): ## Install and update an enterprise application - Install or update the installed app with the product ID “{B316008A-141D-4A79-810F-8B764C4CFDFB}”. -To perform an XAP update, create the Name, URL, Version, and DownloadInstall nodes first, then perform an “execute” on the “DownloadInstall” node (all within an “Atomic” operation). If the application does not exist, the application will be silently installed without any user interaction. If the application cannot be installed, the user will be notified with an Alert dialog. +To perform an XAP update, create the Name, URL, Version, and DownloadInstall nodes first, then perform an “execute” on the “DownloadInstall” node (all within an “Atomic” operation). If the application doesn't exist, the application will be silently installed without any user interaction. If the application can't be installed, the user will be notified with an Alert dialog. > [!NOTE] +> > - If a previous app-update node existed for this product ID (the node can persist for up to 1 week or 7 days after an installation has completed), then a 418 (already exist) error would be returned on the “Add”. To get around the 418 error, the server should issue a Replace command for the Name, URL, and Version nodes, and then execute on the “DownloadInstall” (within an “Atomic” operation). -> > - The application product ID curly braces need to be escaped where { is %7B and } is %7D. - - ```xml 2 @@ -527,7 +512,6 @@ Uninstall an installed enterprise application with product ID “{7BB316008A-141 ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index e406d98d74..9511b9cea7 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseDataProtection CSP -description: The EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings. +description: Learn how the EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings. ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3 ms.reviewer: manager: dansimp @@ -14,20 +14,28 @@ ms.date: 08/09/2017 # EnterpriseDataProtection CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). > [!Note] > To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md). -> - This CSP was added in Windows 10, version 1607. - - +> This CSP was added in Windows 10, version 1607. While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md). To learn more about WIP, see the following articles: -- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy) -- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip) +- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy) +- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip) The following shows the EnterpriseDataProtection CSP in tree format. @@ -53,21 +61,24 @@ The root node for the CSP. The root node for the Windows Information Protection (WIP) configuration settings. **Settings/EDPEnforcementLevel** -Set the WIP enforcement level. Note that setting this value is not sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running. +Set the WIP enforcement level. + +> [!Note] +> Setting this value isn't sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running. The following list shows the supported values: -- 0 (default) – Off / No protection (decrypts previously protected data). -- 1 – Silent mode (encrypt and audit only). -- 2 – Allow override mode (encrypt, prompt and allow overrides, and audit). -- 3 – Hides overrides (encrypt, prompt but hide overrides, and audit). +- 0 (default) – Off / No protection (decrypts previously protected data). +- 1 – Silent mode (encrypt and audit only). +- 2 – Allow override mode (encrypt, prompt and allow overrides, and audit). +- 3 – Hides overrides (encrypt, prompt but hide overrides, and audit). Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/EnterpriseProtectedDomainNames** -A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. +A list of domains used by the enterprise for its user identities separated by pipes ("|"). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. -Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client. +Changing the primary enterprise ID isn't supported and may cause unexpected behavior on the client. > [!Note] > The client requires domain name to be canonical, otherwise the setting will be rejected by the client. @@ -75,22 +86,22 @@ Changing the primary enterprise ID is not supported and may cause unexpected beh Here are the steps to create canonical domain names: -1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com. -2. Call [IdnToAscii](/windows/win32/api/winnls/nf-winnls-idntoascii) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. -3. Call [IdnToUnicode](/windows/win32/api/winnls/nf-winnls-idntounicode) with no flags set (dwFlags = 0). +1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com. +2. Call [IdnToAscii](/windows/win32/api/winnls/nf-winnls-idntoascii) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. +3. Call [IdnToUnicode](/windows/win32/api/winnls/nf-winnls-idntounicode) with no flags set (dwFlags = 0). Supported operations are Add, Get, Replace, and Delete. Value type is string. **Settings/AllowUserDecryption** -Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences. +Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user won't be able to remove protection from enterprise content through the operating system or the application user experiences. > [!IMPORTANT] > Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. The following list shows the supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- 0 – Not allowed. +- 1 (default) – Allowed. Most restricted value is 0. @@ -226,25 +237,25 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG { } PUBLIC_KEY_SOURCE_TAG, *PPUBLIC_KEY_SOURCE_TAG; ``` -For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate. +For EFSCertificate KeyTag, it's expected to be a DER ENCODED binary certificate. Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate. **Settings/RevokeOnUnenroll** -This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1. +This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup after. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1. The following list shows the supported values: -- 0 – Don't revoke keys. -- 1 (default) – Revoke keys. +- 0 – Don't revoke keys. +- 1 (default) – Revoke keys. Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RevokeOnMDMHandoff** -Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. +Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. -- 0 - Don't revoke keys -- 1 (default) - Revoke keys +- 0 - Don't revoke keys. +- 1 (default) - Revoke keys. Supported operations are Add, Get, Replace, and Delete. Value type is integer. @@ -256,22 +267,22 @@ Supported operations are Add, Get, Replace, and Delete. Value type is string (GU **Settings/AllowAzureRMSForEDP** Specifies whether to allow Azure RMS encryption for WIP. -- 0 (default) – Don't use RMS. -- 1 – Use RMS. +- 0 (default) – Don't use RMS. +- 1 – Use RMS. Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/SMBAutoEncryptedFileExtensions** -Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list. -When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. +Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-configuration-service-provider.md#networkisolation-enterpriseiprange) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames). Use semicolon (;) delimiter in the list. +When this policy isn't specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. Supported operations are Add, Get, Replace and Delete. Value type is string. **Settings/EDPShowIcons** Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app. The following list shows the supported values: -- 0 (default) - No WIP overlays on icons or tiles. -- 1 - Show WIP overlays on protected files and apps that can only create enterprise content. +- 0 (default) - No WIP overlays on icons or tiles. +- 1 - Show WIP overlays on protected files and apps that can only create enterprise content. Supported operations are Add, Get, Replace, and Delete. Value type is integer. @@ -284,25 +295,26 @@ Suggested values: |--- |--- |--- |--- |--- | |4|3|2|1|0| - - Bit 0 indicates whether WIP is on or off. Bit 1 indicates whether AppLocker WIP policies are set. -Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies are not configured, the bit 3 is set to 0 (zero). +Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies aren't configured, the bit 3 is set to 0 (zero). -Here's the list of mandatory WIP policies: +Here's the list of mandatory WIP policies: -- EDPEnforcementLevel in EnterpriseDataProtection CSP -- DataRecoveryCertificate in EnterpriseDataProtection CSP -- EnterpriseProtectedDomainNames in EnterpriseDataProtection CSP -- NetworkIsolation/EnterpriseIPRange in Policy CSP -- NetworkIsolation/EnterpriseNetworkDomainNames in Policy CSP +- EDPEnforcementLevel in EnterpriseDataProtection CSP +- DataRecoveryCertificate in EnterpriseDataProtection CSP +- EnterpriseProtectedDomainNames in EnterpriseDataProtection CSP +- NetworkIsolation/EnterpriseIPRange in Policy CSP +- NetworkIsolation/EnterpriseNetworkDomainNames in Policy CSP Bits 2 and 4 are reserved for future use. Supported operation is Get. Value type is integer. - +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) + diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 5df6a8b40b..474769fa3b 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseDesktopAppManagement CSP -description: The EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications. +description: Learn how the EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications. ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5 ms.reviewer: manager: dansimp @@ -14,10 +14,19 @@ ms.date: 07/11/2017 # EnterpriseDesktopAppManagement CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications. -Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example). +Application installations can take some time to complete, hence they're done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example). The following shows the EnterpriseDesktopAppManagement CSP in tree format. @@ -66,9 +75,9 @@ Installation date of the application. Value type is string. Supported operation **MSI/*ProductID*/DownloadInstall** Executes the download and installation of the application. Value type is string. Supported operations are Execute and Get. -In Windows 10, version 1703 service release, a new tag \ was added to the \ section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.\ 0 will set the timeout to infinite. +In Windows 10, version 1703 service release, a new tag \ was added to the \ section of the XML. The default value is 0 (don't send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.\ 0 will set the timeout to infinite. -Here is an example: +Here's an example: ```xml @@ -96,15 +105,13 @@ Status of the application. Value type is string. Supported operation is Get. | Enforcement Failed | 60 | | Enforcement Completed | 70 | - - **MSI/*ProductID*/LastError** The last error code during the application installation process. This is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this could be the result of executing MSIExec.exe or the error result from an API that failed. Value type is string. Supported operation is Get. **MSI/*ProductID*/LastErrorDesc** -Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there is no LastErrorDesc returned. +Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there's no LastErrorDesc returned. Value type is string. Supported operation is Get. @@ -116,10 +123,8 @@ Added in the March service release of Windows 10, version 1607. A gateway (or de Value type is string. Supported operation is Get. - ## Examples - **SyncML to request CSP version information** ```xml @@ -143,12 +148,10 @@ The following table describes the fields in the previous sample: | Name | Description | |--------|-------------------------------------------------------------------------------------------------------------------------------| | Get | Operation being performed. The Get operation is a request to return information. | -| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | +| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. | | LocURI | Path to Win32 CSP command processor. | - - -**SyncML to perform MSI operations for application uninstall** +**SyncML to perform MSI operations for application uninstall:** ```xml @@ -171,7 +174,7 @@ The following table describes the fields in the previous sample: | Name | Description | |--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Delete | Operation being performed. The Delete operation is a request to delete the CSP node that represents the specified MSI installed application and to perform and uninstall of the application as part of the process. | -| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | +| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. | | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. | @@ -199,11 +202,9 @@ The following table describes the fields in the previous sample: | Name | Description | |--------|-----------------------| | Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application.| -| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | +| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. | | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. | - - **SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to precede the Exec command.** ```xml @@ -262,15 +263,12 @@ The following table describes the fields in the previous sample: |Name|Description| |--- |--- | |Add|This is required to precede the Exec command.
  • CmdID - Input value used to reference the request. Responses include this value, which can be used to match the request and response.
  • LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.| -|Exec|The Exec node includes the parameters and properties requires to locate, download, validate and perform product installation.
  • CmdID - Input value used to reference the request. Responses will include this value which can be used to match request and response.
  • LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
  • Data - The Data node contains an embedded XML, of type “MsiInstallJob”
  • MsiInstallJob - Contains all information required for the successful download, validation and execution of the MSI installation process (see section at the end of this document for details on this embedded data object).| - +|Exec|The Exec node includes the parameters and properties requires to locate, download, validate and perform product installation.
  • CmdID - Input value used to reference the request. Responses will include this value that can be used to match request and response.
  • LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
  • Data - The Data node contains an embedded XML, of type “MsiInstallJob”
  • MsiInstallJob - Contains all information required for the successful download, validation and execution of the MSI installation process (see section at the end of this document for details on this embedded data object).| > [!Note] > Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx). - - -**SyncML to perform MSI install operations for an application targeted to all users on the device (per-device installation)** +**SyncML to perform MSI install operations for an application targeted to all users on the device (per-device installation):** ```xml @@ -329,7 +327,7 @@ The following table MsiInstallJob describes the schema elements. |MsiInstallJob|root element
    "Attribute: "id - the application identifier of the application being installed| |Product|child element of MsiInstallJob
    Attribute: “Version” – string representation of application version| |Download|child element of Product. Container for download configuration information.| -|ContentURLList|child element of Download. Contains list of 1 or more content download URL locators in the form of ContentURL elements.| +|ContentURLList|child element of Download. Contains list of one or more content download URL locators in the form of ContentURL elements.| |ContentURL|Location content should be downloaded from. Must be a property formatted URL that points to the .MSI file.| |Validation|Contains information used to validate contend authenticity. • FileHash – SHA256 hash value of file content| |FileHash|SHA256 hash value of file content| @@ -339,9 +337,7 @@ The following table MsiInstallJob describes the schema elements. |RetryCount|The number of times the download and installation operation will be retried before the installation will be marked as failed.| |RetryInterval|Amount of time, in minutes between retry operations.| - - -Here is an example of a common response to a request +Here's an example of a common response to a request ```xml @@ -369,7 +365,6 @@ Here is an example of a common response to a request ## How to determine which installation context to use for an MSI package - The following tables show how app targeting and MSI package type (per-user, per machine, or dual mode) are installed in the client. For Intune standalone environment, the MSI package will determine the MSI execution context. @@ -388,22 +383,20 @@ The following table applies to SCCM hybrid environment. ## How to determine the package type from the MSI package - -- ALLUSERS="" - per-user package type -- ALLUSERS=1 - per-machine package type -- ALLUSERS=2, MSIINSTALLPERUSER=1 - dual mode package type +- ALLUSERS="" - per-user package type +- ALLUSERS=1 - per-machine package type +- ALLUSERS=2, MSIINSTALLPERUSER=1 - dual mode package type Properties can be specified in the package, passed through the command line, modified by a transform, or (more commonly) selected through a user interface dialog. Here's a list of references: -- [Using Windows Installer](/previous-versions/windows/it-pro/windows-server-2003/cc782896(v=ws.10)) -- [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](https://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx) -- SyncML Representation Protocol, Draft Version 1.3 - 27 Aug 2009 (OMA-TS-SyncML\_RepPro-V1\_3-20090827-D) +- [Using Windows Installer](/previous-versions/windows/it-pro/windows-server-2003/cc782896(v=ws.10)) +- [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](https://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx) +- SyncML Representation Protocol, Draft Version 1.3 - 27 Aug 2009 (OMA-TS-SyncML\_RepPro-V1\_3-20090827-D) ## Alert example - ```xml 4 @@ -421,3 +414,6 @@ Here's a list of references: ``` +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 38daca74a6..99a765d265 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -14,6 +14,16 @@ ms.date: 11/19/2021 # EnterpriseModernAppManagement CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md). > [!Note] @@ -65,6 +75,7 @@ EnterpriseModernAppManagement ----------------AddLicense ----------------GetLicenseFromStore ``` + **Device or User context** For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path. @@ -107,33 +118,24 @@ Added in Windows 10, version 1511. Required. Specifies the query for app invento Query parameters: -- Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are: - - PackagesName - returns the *PackageFamilyName* and *PackageFullName* of the app. Default if nothing is specified. - - PackageDetails - returns all inventory attributes of the package. This includes all information from PackageNames parameter, but does not validate RequiresReinstall. - - RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state. -- Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are: - - AppStore - This classification is for apps that were acquired from Microsoft Store. These were apps directly installed from Microsoft Store or enterprise apps from Microsoft Store for Business. - - nonStore - This classification is for apps that were not acquired from the Microsoft Store. - - System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried. -- PackageTypeFilter - Specifies one or multiple types of packages you can use to query the user or device. Multiple values must be separated by |. Valid values are: - - - Main - returns the main installed package. - - Bundle - returns installed bundle packages. - - Framework - returns installed framework packages. - - Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They are parts of a bundle. - - XAP - returns XAP package types. This filter is only supported on Windows Mobile. - - All - returns all package types. - - If no value is specified, the combination of Main, Bundle, and Framework are returned. - -- PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value. - - If you do not specify this value, then all packages are returned. - -- Publisher - specifies the publisher of a particular package. If you specify this parameter, it returns the publisher if the value exists in the Publisher field. - - If you do not specify this value, then all publishers are returned. - +- Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are: + - PackagesName - returns the *PackageFamilyName* and *PackageFullName* of the app. Default if nothing is specified. + - PackageDetails - returns all inventory attributes of the package. This includes all information from PackageNames parameter, but doesn't validate RequiresReinstall. + - RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state. +- Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are: + - AppStore - This classification is for apps that were acquired from Microsoft Store. These were apps directly installed from Microsoft Store or enterprise apps from Microsoft Store for Business. + - nonStore - This classification is for apps that weren't acquired from the Microsoft Store. + - System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried. +- PackageTypeFilter - Specifies one or multiple types of packages you can use to query the user or device. Multiple values must be separated by |. Valid values are: + - Main - returns the main installed package. + - Bundle - returns installed bundle packages. + - Framework - returns installed framework packages. + - Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They're parts of a bundle. + - XAP - returns XAP package types. This filter is only supported on Windows Mobile. + - All - returns all package types. +If no value is specified, the combination of Main, Bundle, and Framework are returned. +- PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value. If you don't specify this value, then all packages are returned. +- Publisher - specifies the publisher of a particular package. If you specify this parameter, it returns the publisher if the value exists in the Publisher field. If you don't specify this value, then all publishers are returned. Supported operation is Get and Replace. @@ -155,20 +157,14 @@ The following example sets the inventory query for the package names and checks Added in Windows 10, version 1703. Used to remove packages. Not supported for ./User/Vendor/MSFT. Parameters: -
      -
    • Package -
        -
      • Name: Specifies the PackageFullName of the particular package to remove.
        • -
      • RemoveForAllUsers: -
          -
        • 0 (default) – Package will be un-provisioned so that new users do not receive the package. The package will remain installed for current users. This is not currently supported.
          • -
        • 1 – Package will be removed for all users only if it is a provisioned package.
          • -
        -
        • -
      -
      • -
    • User (optional): Specifies the SID of the particular user for whom to remove the package; only the package for the specified user can be removed.
      • -

    + +- Package + - Name: Specifies the PackageFullName of the particular package to remove. + - RemoveForAllUsers: + - 0 (default) – Package will be unprovisioned so that new users don't receive the package. The package will remain installed for current users. This isn't currently supported. + - 1 – Package will be removed for all users only if it's a provisioned package. +- User (optional): Specifies the SID of the particular user for whom to remove the package; only the package for the specified user can be removed. + Supported operation is Execute. The following example removes a package for all users: @@ -189,7 +185,7 @@ The following example removes a package for all users: ```` **AppManagement/nonStore** -Used to manage enterprise apps or developer apps that were not acquired from the Microsoft Store. +Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store. Supported operation is Get. @@ -210,18 +206,21 @@ Added in Windows 10, version 1809. Interior node for the managing updates throug > ReleaseManagement settings only apply to updates through the Microsoft Store. **AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_** -Added in Windows 10, version 1809. Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app. - +Added in Windows 10, version 1809. Identifier for the app or set of apps. If there's only one app, it's the PackageFamilyName. If it is for a set of apps, it's the PackageFamilyName of the main app. **AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ChannelId** Added in Windows 10, version 1809. Specifies the app channel ID. -Value type is string. Supported operations are Add, Get, Replace, and Delete. +Value type is string. + +Supported operations are Add, Get, Replace, and Delete. **AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ReleaseManagementId** Added in Windows 10, version 1809. The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on. -Value type is string. Supported operations are Add, Get, Replace, and Delete. +Value type is string. + +Supported operations are Add, Get, Replace, and Delete. **AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease** Added in Windows 10, version 1809. Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used. @@ -229,22 +228,25 @@ Added in Windows 10, version 1809. Interior node used to specify the effective a **AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ChannelId** Added in Windows 10, version 1809. Returns the last user channel ID on the device. -Value type is string. Supported operation is Get. +Value type is string. + +Supported operation is Get. **AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ReleaseManagementId** Added in Windows 10, version 1809. Returns the last user release ID on the device. -Value type is string. Supported operation is Get. +Value type is string. + +Supported operation is Get. **.../***PackageFamilyName* -Optional. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. +Optional. Package family name (PFN) of the app. There's one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. Supported operations are Get and Delete. > [!Note] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. - Here's an example for uninstalling an app: ```xml @@ -274,22 +276,30 @@ Supported operations are Get and Delete. **.../*PackageFamilyName*/*PackageFullName*/Name** -Required. Name of the app. Value type is string. +Required. Name of the app. + +Value type is string. Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/Version** -Required. Version of the app. Value type is string. +Required. Version of the app. + +Value type is string. Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/Publisher** -Required. Publisher name of the app. Value type is string. +Required. Publisher name of the app. + +Value type is string. Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/Architecture** -Required. Architecture of installed package. Value type is string. +Required. Architecture of installed package. + +Value type is string. > [!Note] > Not applicable to XAP files. @@ -297,7 +307,9 @@ Required. Architecture of installed package. Value type is string. Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/InstallLocation** -Required. Install location of the app on the device. Value type is string. +Required. Install location of the app on the device. + +Value type is string. > [!Note] > Not applicable to XAP files. @@ -313,17 +325,23 @@ Required. Whether or not the app is a framework package. Value type is int. The Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/IsBundle** -Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. +Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases. + +Value type is int. Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/InstallDate** -Required. Date the app was installed. Value type is string. +Required. Date the app was installed. + +Value type is string. Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/ResourceID** -Required. Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. Value type is string. +Required. Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. + +Value type is string. > [!Note] > Not applicable to XAP files. @@ -331,13 +349,15 @@ Required. Resource ID of the app. This is null for the main app, ~ for a bundle, Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/PackageStatus** -Required. Provides information about the status of the package. Value type is int. Valid values are: +Required. Provides information about the status of the package. -- OK (0) - The package is usable. -- LicenseIssue (1) - The license of the package is not valid. -- Modified (2) - The package payload was modified by an unknown source. -- Tampered (4) - The package payload was tampered intentionally. -- Disabled (8) - The package is not available for use. It can still be serviced. +Value type is int. Valid values are: + +- OK (0) - The package is usable. +- LicenseIssue (1) - The license of the package isn't valid. +- Modified (2) - The package payload was modified by an unknown source. +- Tampered (4) - The package payload was tampered intentionally. +- Disabled (8) - The package isn't available for use. It can still be serviced. > [!Note] > Not applicable to XAP files. @@ -355,15 +375,17 @@ Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/Users** Required. Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string. -- Not Installed = 0 -- Staged = 1 -- Installed = 2 -- Paused = 6 +- Not Installed = 0 +- Staged = 1 +- Installed = 2 +- Paused = 6 Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/IsProvisioned** -Required. The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. +Required. The value is 0 or 1 that indicates if the app is provisioned on the device. + +The value type is int. Supported operation is Get. @@ -371,7 +393,9 @@ Supported operation is Get. Added in Windows 10, version 2004. Required. This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app. -The value is 1 if the package is a stub package and 0 (zero) for all other cases. Value type is int. +The value is 1 if the package is a stub package and 0 (zero) for all other cases. + +Value type is int. Supported operation is Get. @@ -386,9 +410,11 @@ Added in Windows 10, version 1511. Interior node for all managed app setting val **.../*PackageFamilyName*/AppSettingPolicy/***SettingValue* (only for ./User/Vendor/MSFT) Added in Windows 10, version 1511. The *SettingValue* and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container. -This setting only works for apps that support the feature and it is only supported in the user context. +This setting only works for apps that support the feature and it's only supported in the user context. -Value type is string. Supported operations are Add, Get, Replace, and Delete. +Value type is string. + +Supported operations are Add, Get, Replace, and Delete. The following example sets the value for the 'Server' @@ -423,9 +449,11 @@ The following example gets all managed app settings for a specific app. ``` **.../_PackageFamilyName_/MaintainProcessorArchitectureOnUpdate** -Added in Windows 10, version 1803. Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. +Added in Windows 10, version 1803. Specify whether on an AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. -Supported operations are Add, Get, Delete, and Replace. Value type is integer. +Supported operations are Add, Get, Delete, and Replace. + +Value type is integer. Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). @@ -443,11 +471,14 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to NonRemovable requires admin permission. This can only be set per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. -Value type is integer. Supported operations are Add, Get, and Replace. +Value type is integer. + +Supported operations are Add, Get, and Replace. Valid values: -- 0 – app is not in the nonremovable app policy list -- 1 – app is included in the nonremovable app policy list + +- 0 – app isn't in the nonremovable app policy list +- 1 – app is included in the nonremovable app policy list **Examples:** @@ -519,14 +550,13 @@ Data 1 = app is in the app policy list Required node. Used to perform app installation. **AppInstallation/***PackageFamilyName* -Optional node. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. +Optional node. Package family name (PFN) of the app. There's one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. Supported operations are Get and Add. > [!Note] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. - **AppInstallation/*PackageFamilyName*/StoreInstall** Required. Command to perform an install of an app and a license from the Microsoft Store. @@ -535,7 +565,8 @@ Supported operation is Execute, Add, Delete, and Get. **AppInstallation/*PackageFamilyName*/HostedInstall** Required. Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source). -The following list shows the supported deployment options: +The following list shows the supported deployment options: + - ForceApplicationShutdown - DevelopmentMode  - InstallAllResources @@ -544,7 +575,7 @@ The following list shows the supported deployment options: - DeferRegistration="1". If the app is in use at the time of installation. This stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1. - StageOnly="1". Stages the files for an app installation or update without installing the app. Available in 1803. - LicenseUri="\\server\license.lic". Deploys an offline license from the Microsoft Store for Business. Available in 1607. -- ValidateDependencies="1". This is used at provisioning/staging time. If it is set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies are not present. Available in the latest insider flight of 20H1. +- ValidateDependencies="1". This is used at provisioning/staging time. If it's set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies aren't present. Available in the latest insider flight of 20H1. - ExcludeAppFromLayoutModification="1". Sets that the app will be provisioned on all devices and will be able to retain the apps provisioned without pinning them to start layout. Available in 1809. Supported operation is Execute, Add, Delete, and Get. @@ -557,8 +588,6 @@ Supported operation is Get. > [!Note] > This element is not present after the app is installed. - - **AppInstallation/*PackageFamilyName*/LastErrorDesc** Required. Description of last error relating to the app installation. @@ -567,30 +596,27 @@ Supported operation is Get. > [!Note] > This element is not present after the app is installed. - **AppInstallation/*PackageFamilyName*/Status** Required. Status of app installation. The following values are returned: -- NOT\_INSTALLED (0) - The node was added, but the execution has not completed. -- INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success, this value is updated. -- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. -- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear. +- NOT\_INSTALLED (0) - The node was added, but the execution hasn't completed. +- INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, this value is updated. +- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. +- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean-up action hasn't completed, this state may briefly appear. Supported operation is Get. > [!Note] > This element is not present after the app is installed. - -**AppInstallation/*PackageFamilyName*/ProgessStatus** -Required. An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero). +**AppInstallation/*PackageFamilyName*/ProgressStatus** +Required. An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus isn't available for provisioning and it's only for user-based installations. In provisioning, the value is always 0 (zero). Supported operation is Get. > [!Note] > This element is not present after the app is installed. - **AppLicenses** Required node. Used to manage licenses for app scenarios. @@ -603,23 +629,23 @@ Optional node. License ID for a store installed app. The license ID is generally Supported operations are Add, Get, and Delete. **AppLicenses/StoreLicenses/*LicenseID*/LicenseCategory** -Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid value: +Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid values are: -- Unknown - unknown license category -- Retail - license sold through retail channels, typically from the Microsoft Store -- Enterprise - license sold through the enterprise sales channel, typically from the Store for Business -- OEM - license issued to an OEM -- Developer - developer license, typically installed during the app development or side-loading scenarios. +- Unknown - unknown license category +- Retail - license sold through retail channels, typically from the Microsoft Store +- Enterprise - license sold through the enterprise sales channel, typically from the Store for Business +- OEM - license issued to an OEM +- Developer - developer license, typically installed during the app development or side-loading scenarios. Supported operation is Get. **AppLicenses/StoreLicenses/*LicenseID*/LicenseUsage** -Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values: +Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values are: -- Unknown - usage is unknown -- Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time. -- Offline - license is valid for use offline. You don't need a connection to the internet to use this license. -- Enterprise Root - +- Unknown - usage is unknown. +- Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time. +- Offline - license is valid for use offline. You don't need a connection to the internet to use this license. +- Enterprise Root - Supported operation is Get. @@ -640,7 +666,6 @@ Supported operation is Execute. ## Examples - For examples of how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md). Query the device for a specific app subcategory, such as nonStore apps. diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 3ac910ac33..a12bc38abb 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -1,6 +1,6 @@ --- title: eUICCs CSP -description: Learn how the eUICCs CSP is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees. +description: Learn how the eUICCs CSP is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -13,10 +13,20 @@ manager: dansimp # eUICCs CSP +The table below shows the applicability of Windows: -The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709. +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + +The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709. The following shows the eUICCs configuration service provider in tree format. + ``` ./Device/Vendor/MSFT eUICCs @@ -44,16 +54,17 @@ eUICCs ------------ResetToFactoryState ------------Status ``` + **./Vendor/MSFT/eUICCs** -Root node. +Root node for the eUICCs CSP. **_eUICC_** -Interior node. Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC. +Interior node. Represents information associated with an eUICC. There's one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, for example, this could be an SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC. Supported operation is Get. **_eUICC_/Identifier** -Required. Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID. +Required. Identifies an eUICC in an implementation-specific manner, for example, this could be an SHA-256 hash of the EID. Supported operation is Get. Value type is string. @@ -63,14 +74,18 @@ Required. Indicates whether this eUICC is physically present and active. Updated Supported operation is Get. Value type is boolean. **_eUICC_/PPR1Allowed** -Profile Policy Rule 1 (PPR1) is required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 is not allowed. +Profile Policy Rule 1 (PPR1) is required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 isn't allowed. -Supported operation is Get. Value type is boolean. +Supported operation is Get. + +Value type is boolean. **_eUICC_/PPR1AlreadySet** Required. Indicates whether the eUICC already has a profile with PPR1. -Supported operation is Get. Value type is boolean. +Supported operation is Get. + +Value type is boolean. **_eUICC_/DownloadServers** Interior node. Represents default SM-DP+ discovery requests. @@ -85,12 +100,16 @@ Supported operations are Add, Get, and Delete. **_eUICC_/DownloadServers/_ServerName_/DiscoveryState** Required. Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA. -Supported operation is Get. Value type is integer. Default value is 1. +Supported operation is Get. + +Value type is integer. Default value is 1. **_eUICC_/DownloadServers/_ServerName_/AutoEnable** Required. Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created. -Supported operations are Add, Get, and Replace. Value type is bool. +Supported operations are Add, Get, and Replace. + +Value type is bool. **_eUICC_/Profiles** Interior node. Required. Represents all enterprise-owned profiles. @@ -105,22 +124,30 @@ Supported operations are Add, Get, and Delete. **_eUICC_/Profiles/_ICCID_/ServerName** Required. Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created. -Supported operations are Add and Get. Value type is string. +Supported operations are Add and Get. + +Value type is string. **_eUICC_/Profiles/_ICCID_/MatchingID** Required. Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created. -Supported operations are Add and Get. Value type is string. +Supported operations are Add and Get. + +Value type is string. **_eUICC_/Profiles/_ICCID_/State** Required. Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA. -Supported operation is Get. Value type is integer. Default value is 1. +Supported operation is Get. + +Value type is integer. Default value is 1. **_eUICC_/Profiles/_ICCID_/IsEnabled** Added in Windows 10, version 1803. Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created to enable the profile once it’s successfully downloaded and installed on the device. Can also be queried and updated by the CSP. -Supported operations are Add, Get, and Replace. Value type is bool. +Supported operations are Add, Get, and Replace. + +Value type is bool. **_eUICC_/Policies** Interior node. Required. Device policies associated with the eUICC as a whole (not per-profile). @@ -130,19 +157,29 @@ Supported operation is Get. **_eUICC_/Policies/LocalUIEnabled** Required. Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server. -Supported operations are Get and Replace. Value type is boolean. Default value is true. +Supported operations are Get and Replace. + +Value type is boolean. Default value is true. **_eUICC_/Actions** -Interior node. Required. Actions that can be performed on the eUICC as a whole (when it is active). +Interior node. Required. Actions that can be performed on the eUICC as a whole (when it's active). Supported operation is Get. **_eUICC_/Actions/ResetToFactoryState** Required. An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset. -Supported operation is Execute. Value type is string. +Supported operation is Execute. + +Value type is string. **_eUICC_/Actions/Status** Required. Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors. -Supported value is Get. Value type is integer. Default is 0. +Supported value is Get. + +Value type is integer. Default is 0. + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 65b65a3326..3c36a569eb 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -13,9 +13,18 @@ manager: dansimp # Firewall configuration service provider (CSP) +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + +The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709. -The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709. - Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively. For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](/openspecs/windows_protocols/ms-winerrata/6521c5c4-1f76-4003-9ade-5cccfc27c8ac). @@ -101,141 +110,154 @@ Firewall ----------------Status ----------------Name ``` + **./Vendor/MSFT/Firewall** -

    Root node for the Firewall configuration service provider.

    +Root node for the Firewall configuration service provider. **MdmStore** -

    Interior node.

    -

    Supported operation is Get.

    +Interior node. +Supported operation is Get. **MdmStore/Global** -

    Interior node.

    -

    Supported operations are Get.

    +Interior node. +Supported operations are Get. **MdmStore/Global/PolicyVersionSupported** -

    Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.

    -

    Value type in integer. Supported operation is Get.

    +Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value isn't merged and is always a fixed value for a particular firewall and advanced security components software build. +Value type in integer. Supported operation is Get. **MdmStore/Global/CurrentProfiles** -

    Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.

    -

    Value type in integer. Supported operation is Get.

    +Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it isn't merged and has no merge law. +Value type in integer. Supported operation is Get. **MdmStore/Global/DisableStatefulFtp** -

    Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.

    -

    Default value is false.

    -

    Data type is bool. Supported operations are Add, Get, Replace, and Delete.

    +Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win. +Default value is false. + +Data type is bool. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/SaIdleTime** -

    This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

    -

    Default value is 300.

    -

    Value type is integer. Supported operations are Add, Get, Replace, and Delete.

    +This value configures the security association idle time, in seconds. Security associations are deleted after network traffic isn't seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. +Default value is 300. +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/PresharedKeyEncoding** -

    Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

    -

    Default value is 1.

    -

    Value type is integer. Supported operations are Add, Get, Replace, and Delete.

    +Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the [PRESHARED_KEY_ENCODING_VALUES enumeration](/openspecs/windows_protocols/ms-fasp/b9d24a5e-7755-4c60-adeb-e0c7a718f909). The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. +Default value is 1. +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/IPsecExempt** -

    This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

    -

    Default value is 0.

    -

    Value type is integer. Supported operations are Add, Get, Replace, and Delete.

    +This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in [IPSEC_EXEMPT_VALUES](/openspecs/windows_protocols/ms-fasp/7daabd9f-74c3-4295-add6-e2402b01b191); therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. +Default value is 0. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/CRLcheck** -

    This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:

    -
      -
    • 0 disables CRL checking
      • -
    • 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail.
      • -
    • 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing
      • -
    -

    Default value is 0.

    -

    Value type is integer. Supported operations are Add, Get, Replace, and Delete.

    +This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Valid valued: + +- 0 disables CRL checking. +- 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) don't cause certificate validation to fail. +- 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. + +Default value is 0. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/PolicyVersion** -

    This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.

    -

    Value type is string. Supported operation is Get.

    +This value contains the policy version of the policy store being managed. This value isn't merged and therefore, has no merge law. +Value type is string. Supported operation is Get. **MdmStore/Global/BinaryVersionSupported** -

    This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.

    -

    Value type is string. Supported operation is Get.

    +This value contains the binary version of the structures and data types that are supported by the server. This value isn't merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201. +Value type is string. Supported operation is Get. **MdmStore/Global/OpportunisticallyMatchAuthSetPerKM** -

    This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

    -

    Boolean value. Supported operations are Add, Get, Replace, and Delete.

    +This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they don't support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. +Boolean value. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/EnablePacketQueue** -

    This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:

    +This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values: -
      -
    • 0x00 indicates that all queuing is to be disabled
      • -
    • 0x01 specifies that inbound encrypted packets are to be queued
      • -
    • 0x02 specifies that packets are to be queued after decryption is performed for forwarding
      • -
    +- 0x00 indicates that all queuing is to be disabled +- 0x01 specifies that inbound encrypted packets are to be queued +- 0x02 specifies that packets are to be queued after decryption is performed for forwarding -

    Default value is 0.

    -

    Value type is integer. Supported operations are Add, Get, Replace, and Delete.

    +Default value is 0. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **MdmStore/DomainProfile** -

    Interior node. Supported operation is Get.

    +Interior node. Supported operation is Get. **MdmStore/PrivateProfile** -

    Interior node. Supported operation is Get.

    +Interior node. Supported operation is Get. **MdmStore/PublicProfile** -

    Interior node. Supported operation is Get.

    +Interior node. Supported operation is Get. **/EnableFirewall** -

    Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

    -

    Default value is true.

    -

    Value type is bool. Supported operations are Add, Get and Replace.

    +Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is true. + +Value type is bool. Supported operations are Add, Get and Replace. **/DisableStealthMode** -

    Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

    -

    Default value is false.

    -

    Value type is bool. Supported operations are Add, Get and Replace.

    +Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is false. + +Value type is bool. Supported operations are Add, Get and Replace. **/Shielded** -

    Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.

    -

    Default value is false.

    -

    Value type is bool. Supported operations are Get and Replace.

    +Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win. +Default value is false. + +Value type is bool. Supported operations are Get and Replace. **/DisableUnicastResponsesToMulticastBroadcast** -

    Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

    -

    Default value is false.

    -

    Value type is bool. Supported operations are Add, Get and Replace.

    +Boolean value. If it's true, unicast responses to multicast broadcast traffic are blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is false. + +Value type is bool. Supported operations are Add, Get and Replace. **/DisableInboundNotifications** -

    Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

    -

    Default value is false.

    -

    Value type is bool. Supported operations are Add, Get and Replace.

    +Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is false. + +Value type is bool. Supported operations are Add, Get and Replace. **/AuthAppsAllowUserPrefMerge** -

    Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

    -

    Default value is true.

    -

    Value type is bool. Supported operations are Add, Get and Replace.

    +Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is true. + +Value type is bool. Supported operations are Add, Get and Replace. **/GlobalPortsAllowUserPrefMerge** -

    Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

    -

    Default value is true.

    -

    Value type is bool. Supported operations are Add, Get and Replace.

    +Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is true. + +Value type is bool. Supported operations are Add, Get and Replace. **/AllowLocalPolicyMerge** -

    Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.

    -

    Default value is true.

    -

    Value type is bool. Supported operations are Add, Get and Replace.

    +Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. +Default value is true. + +Value type is bool. Supported operations are Add, Get and Replace. **/AllowLocalIpsecPolicyMerge** -

    Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.

    -

    Default value is true.

    -

    Value type is bool. Supported operations are Add, Get and Replace.

    +Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. +Default value is true. + +Value type is bool. Supported operations are Add, Get and Replace. **/DefaultOutboundAction** -

    This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it is explicitly specified not to block.

    -
      -
    • 0x00000000 - allow
      • -
    • 0x00000001 - block
      • -
    -

    Default value is 0 (allow).

    -

    Value type is integer. Supported operations are Add, Get and Replace.

    +This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it's explicitly specified not to block. + +- 0x00000000 - allow +- 0x00000001 - block + +Default value is 0 (allow). + +Value type is integer. Supported operations are Add, Get and Replace. Sample syncxml to provision the firewall settings to evaluate @@ -261,163 +283,169 @@ Sample syncxml to provision the firewall settings to evaluate     ``` + **/DefaultInboundAction** -

    This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.

    -
      -
    • 0x00000000 - allow
      • -
    • 0x00000001 - block
      • -
    -

    Default value is 1 (block).

    -

    Value type is integer. Supported operations are Add, Get and Replace.

    +This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used. + +- 0x00000000 - allow +- 0x00000001 - block + +Default value is 1 (block). +Value type is integer. Supported operations are Add, Get and Replace. **/DisableStealthModeIpsecSecuredPacketExemption** -

    Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

    -

    Default value is true.

    -

    Value type is bool. Supported operations are Add, Get and Replace.

    +Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. +Default value is true. + +Value type is bool. Supported operations are Add, Get and Replace. **FirewallRules** -

    A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.

    +A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed. **FirewallRules/_FirewallRuleName_** -

    Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).

    -

    Supported operations are Add, Get, Replace, and Delete.

    +Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). +Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/App** -

    Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:

    -
      -
    • PackageFamilyName
      • -
    • FilePath
      • -
    • FQBN
      • -
    • ServiceName
      • -
    -

    If not specified, the default is All.

    -

    Supported operation is Get.

    +Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes: + +- PackageFamilyName +- FilePath +- FQBN +- ServiceName + +If not specified, the default is All. +Supported operation is Get. **FirewallRules/_FirewallRuleName_/App/PackageFamilyName** -

    This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.

    -

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    +This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/App/FilePath** -

    This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.

    -

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    +This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/App/Fqbn** -

    Fully Qualified Binary Name

    -

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    +Fully Qualified Binary Name +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/App/ServiceName** -

    This is a service name used in cases when a service, not an application, is sending or receiving traffic.

    -

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    +This is a service name used in cases when a service, not an application, is sending or receiving traffic. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/Protocol** -

    0-255 number representing the ip protocol (TCP = 6, UDP = 17)

    -

    If not specified, the default is All.

    -

    Value type is integer. Supported operations are Add, Get, Replace, and Delete.

    +0-255 number representing the ip protocol (TCP = 6, UDP = 17) +If not specified, the default is All. +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/LocalPortRanges** -

    Comma separated list of ranges. For example, 100-120,200,300-320.

    -

    If not specified, the default is All.

    -

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    +Comma separated list of ranges. For example, 100-120,200,300-320. +If not specified, the default is All. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/RemotePortRanges** -

    Comma separated list of ranges, For example, 100-120,200,300-320.

    -

    If not specified, the default is All.

    -

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    +Comma separated list of ranges, For example, 100-120,200,300-320. +If not specified, the default is All. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/*FirewallRuleName*/LocalAddressRanges** -

    Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:

    -
      -
    • "*" indicates any local address. If present, this must be the only token included.
      • -
    • A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.
      • -
    • A valid IPv6 address.
      • -
    • An IPv4 address range in the format of "start address - end address" with no spaces included.
      • -
    • An IPv6 address range in the format of "start address - end address" with no spaces included.
      • -
    -

    If not specified, the default is All.

    -

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    +Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include: + +- "*" indicates any local address. If present, this must be the only token included. +- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255. +- A valid IPv6 address. +- An IPv4 address range in the format of "start address - end address" with no spaces included. +- An IPv6 address range in the format of "start address - end address" with no spaces included. + +If not specified, the default is All. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/*FirewallRuleName*/RemoteAddressRanges** -

    List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:

    -
      -
    • "*" indicates any remote address. If present, this must be the only token included.
      • -
    • "Defaultgateway"
      • -
    • "DHCP"
      • -
    • "DNS"
      • -
    • "WINS"
      • -
    • "Intranet"
      • -
    • "RmtIntranet"
      • -
    • "Internet"
      • -
    • "Ply2Renders"
      • -
    • "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
      • -
    • A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
      • -
    • A valid IPv6 address.
      • -
    • An IPv4 address range in the format of "start address - end address" with no spaces included.
      • -
    • An IPv6 address range in the format of "start address - end address" with no spaces included.
      • -
    -

    If not specified, the default is All.

    -

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    -

    The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.

    +List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include: + +- "*" indicates any remote address. If present, this must be the only token included. +- "Defaultgateway" +- "DHCP" +- "DNS" +- "WINS" +- "Intranet" +- "RmtIntranet" +- "Internet" +- "Ply2Renders" +- "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive. +- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. +- A valid IPv6 address. +- An IPv4 address range in the format of "start address - end address" with no spaces included. +- An IPv6 address range in the format of "start address - end address" with no spaces included. + +If not specified, the default is All. +Value type is string. Supported operations are Add, Get, Replace, and Delete. +The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later. **FirewallRules/_FirewallRuleName_/Description** -

    Specifies the description of the rule.

    -

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    +Specifies the description of the rule. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/Enabled** -

    Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. -

    If not specified - a new rule is enabled by default.

    -

    Boolean value. Supported operations are Get and Replace.

    +Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. +If not specified - a new rule is enabled by default. +Boolean value. Supported operations are Get and Replace. **FirewallRules/_FirewallRuleName_/Profiles** -

    Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.

    -

    If not specified, the default is All.

    -

    Value type is integer. Supported operations are Get and Replace.

    +Specifies the profiles to which the rule belongs: Domain, Private, Public. . See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. +If not specified, the default is All. +Value type is integer. Supported operations are Get and Replace. **FirewallRules/_FirewallRuleName_/Action** -

    Specifies the action for the rule.

    -

    Supported operation is Get.

    +Specifies the action for the rule. +Supported operation is Get. **FirewallRules/_FirewallRuleName_/Action/Type** -

    Specifies the action the rule enforces. Supported values:

    -
      -
    • 0 - Block
      • -
    • 1 - Allow
      • -
    -

    If not specified, the default is allow.

    -

    Value type is integer. Supported operations are Get and Replace.

    +Specifies the action the rule enforces. Supported values: + +- 0 - Block +- 1 - Allow + +If not specified, the default is allow. +Value type is integer. Supported operations are Get and Replace. **FirewallRules/_FirewallRuleName_/Direction** -

    The rule is enabled based on the traffic direction as following. Supported values:

    -
      -
    • IN - the rule applies to inbound traffic.
      • -
    • OUT - the rule applies to outbound traffic.
      • -
    • If not specified, the default is Out.
      • -
    -

    Value type is string. Supported operations are Get and Replace.

    +The rule is enabled based on the traffic direction as following. Supported values: + +- IN - the rule applies to inbound traffic. +- OUT - the rule applies to outbound traffic. +- If not specified, the default is Out. + +Value type is string. Supported operations are Get and Replace. **FirewallRules/_FirewallRuleName_/InterfaceTypes** -

    Comma separated list of interface types. Valid values:

    -
      -
    • RemoteAccess
      • -
    • Wireless
      • -
    • Lan
      • -
    -

    If not specified, the default is All.

    -

    Value type is string. Supported operations are Get and Replace.

    +Comma separated list of interface types. Valid values: + +- RemoteAccess +- Wireless +- Lan + +If not specified, the default is All. +Value type is string. Supported operations are Get and Replace. **FirewallRules/_FirewallRuleName_/EdgeTraversal** -

    Indicates whether edge traversal is enabled or disabled for this rule.

    -

    The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.

    -

    New rules have the EdgeTraversal property disabled by default.

    -

    Value type is bool. Supported operations are Add, Get, Replace, and Delete.

    +Indicates whether edge traversal is enabled or disabled for this rule. +The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. +New rules have the EdgeTraversal property disabled by default. +Value type is bool. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList** -

    Specifies the list of authorized local users for this rule. This is a string in Security Descriptor Definition Language (SDDL) format.

    -

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    +Specifies the list of authorized local users for this rule. This is a string in Security Descriptor Definition Language (SDDL) format. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/Status** -

    Provides information about the specific version of the rule in deployment for monitoring purposes.

    -

    Value type is string. Supported operation is Get.

    +Provides information about the specific version of the rule in deployment for monitoring purposes. +Value type is string. Supported operation is Get. **FirewallRules/_FirewallRuleName_/Name** -

    Name of the rule.

    -

    Value type is string. Supported operations are Add, Get, Replace, and Delete.

    +Name of the rule. +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 2513599a28..12e4ef5132 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -14,18 +14,28 @@ ms.date: # Device HealthAttestation CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions. The following is a list of functions performed by the Device HealthAttestation CSP: -- Collects device boot logs, Trusted Platform Module (TPM) audit trails and the TPM certificate (DHA-BootData) from a managed device -- Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service) -- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device -- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data) +- Collects device boot logs, Trusted Platform Module (TPM) audit trails and the TPM certificate (DHA-BootData) from a managed device +- Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service) +- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device +- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data) ## Windows 11 Device health attestation -Windows 11 introduces an update to the device health attestation feature. This helps add support for deeper insights to Windows boot security, supporting a zero trust approach to device security. Device health attestation on Windows can be accessed by using the HealthAttestation CSP. This CSP helps assess if a device is booted to a trusted and compliant state and then to take appropriate action. Windows 11 introduces additional child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service, which provides a simplified approach to attestation. +Windows 11 introduces an update to the device health attestation feature. This helps add support for deeper insights to Windows boot security, supporting a zero trust approach to device security. Device health attestation on Windows can be accessed by using the HealthAttestation CSP. This CSP helps assess if a device is booted to a trusted and compliant state and then to take appropriate action. Windows 11 introduces extra child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service, which provides a simplified approach to attestation. The attestation report provides a health assessment of the boot-time properties of the device to ensure that the devices are automatically secure as soon as they power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, depending on the health of the device. @@ -48,7 +58,7 @@ The attestation report provides a health assessment of the boot-time properties - **MAA endpoint**: Microsoft Azure attestation service is an Azure resource, and every instance of the service gets administrator configured URL. The URI generated is unique in nature and for the purposes of device health attestation is known as the MAA endpoint. -- **JWT (JSON Web Token)**: JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair. +- **JWT (JSON Web Token)**: JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it's digitally signed. JWTs can be signed using a secret or a public/private key pair. ### Attestation Flow with Microsoft Azure Attestation Service @@ -63,6 +73,7 @@ Attestation flow can be broadly in three main steps: For more information, see [Attestation Protocol](/azure/attestation/virtualization-based-security-protocol). ### Configuration Service Provider Nodes + Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestation service. ```console @@ -125,10 +136,10 @@ Templated SyncML Call: Data fields: - rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller. -- serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation. -- nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. +- serviceEndpoint: This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation. +- nonce: This field contains an arbitrary number that can be used once in a cryptographic communication. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in replay attacks. - aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service. -- cv: This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes. +- cv: This field contains an identifier(Correlation Vector) that will be passed in to the service call, that can be used for diagnostics purposes. Sample Data: @@ -182,7 +193,7 @@ Example: 0x80072efd, WININET_E_CANNOT_CONNECT Node type: GET -This node will retrieve the attestation report per the call made by the TriggerAttestation, if there is any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store. +This node will retrieve the attestation report per the call made by the TriggerAttestation, if there's any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store. Templated SyncML Call: @@ -217,7 +228,7 @@ OR Sync ML 404 error if not cached report available. Node type: GET -This node will retrieve the service-generated correlation IDs for the given MDM provider. If there is more than one correlation ID, they are separated by “;” in the string. +This node will retrieve the service-generated correlation IDs for the given MDM provider. If there's more than one correlation ID, they're separated by “;” in the string. Templated SyncML Call: @@ -249,8 +260,7 @@ calls between client and MAA and for each call the GUID is separated by semicolo ``` > [!NOTE] -> > MAA CSP nodes are available on arm64 but is not currently supported. - +> MAA CSP nodes are available on arm64 but is not currently supported. ### MAA CSP Integration Steps @@ -490,7 +500,7 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes - DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health. - DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices. - - DHA-SignedBlob: it is a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time. + - DHA-SignedBlob: it's a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time. - DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts: - DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service @@ -510,7 +520,7 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes - Collects device health attestation data (DHA-Data), and sends it to Device Health Attestation Service (DHA-Service) for verification - Gets the device health report (DHA-Report) from DHA-Service, which triggers compliance action -- **DHA-CSP (Device HealthAttestation Configuration Service Provider)**: The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed. +- **DHA-CSP (Device HealthAttestation Configuration Service Provider)**: The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties can't be spoofed. The following list of operations is performed by DHA-CSP: @@ -536,7 +546,7 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes |--- |--- |--- | |Device Health Attestation – Cloud (DHA-Cloud)|DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
  • Available in Windows for free
  • Running on a high-availability and geo-balanced cloud infrastructure
  • Supported by most DHA-Enabled device management solutions as the default device attestation service provider
  • Accessible to all enterprise-managed devices via following:
    • FQDN = has.spserv.microsoft.com port
    • Port = 443
    • Protocol = TCP|No cost
    • | |Device Health Attestation – On Premise(DHA-OnPrem)|DHA-OnPrem refers to DHA-Service that is running on premises:
  • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
  • Hosted on an enterprise owned and managed server device/hardware
  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
  • Accessible to all enterprise-managed devices via following:
    • FQDN = (enterprise assigned)
    • Port = (enterprise assigned)
    • Protocol = TCP|The operation cost of running one or more instances of Server 2016 on-premises.
    • | -|Device Health Attestation - Enterprise-Managed Cloud(DHA-EMC)|DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
  • Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
  • Accessible to all enterprise-managed devices via following:
    • FQDN = (enterprise assigned)
    • Port = (enterprise assigned)
    • Protocol = TCP|The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure.
    • | +|Device Health Attestation - Enterprise-Managed Cloud(DHA-EMC)|DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
  • Offered to Windows Server 2016 customers with no extra licensing cost (no added licensing cost for enabling/running DHA-Service)
  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
  • Accessible to all enterprise-managed devices via following:
    • FQDN = (enterprise assigned)
    • Port = (enterprise assigned)
    • Protocol = TCP|The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure.
    • | ### CSP diagram and node descriptions @@ -574,12 +584,12 @@ Provides the current status of the device health request. The supported operation is Get. -The following list shows some examples of supported values. For the complete list of status, see Device HealthAttestation CSP status and error codes. +The following list shows some examples of supported values. For the complete list of status, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). -- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service -- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device -- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob could not be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes -- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup +- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service +- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device +- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob couldn't be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes +- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup **ForceRetrieve** (Optional) @@ -609,7 +619,7 @@ Value type is integer, the minimum value is - 2,147,483,648 and the maximum valu **HASEndpoint** (Optional) -Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service. +Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN isn't assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service. Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com. @@ -623,14 +633,14 @@ Value type is integer. The supported operation is Get. The following list of validation and development tasks are required for integrating the Microsoft Device Health Attestation feature with a Windows Mobile device management solution (MDM): -1. [Verify HTTPS access](#verify-access) -2. [Assign an enterprise trusted DHA-Service](#assign-trusted-dha-service) -3. [Instruct client to prepare DHA-data for verification](#prepare-health-data) -4. [Take action based on the clients response](#take-action-client-response) -5. [Instruct the client to forward DHA-data for verification](#forward-health-attestation) -6. [Post DHA-data to DHA-service](#forward-data-to-has) -7. [Receive response from DHA-service](#receive-has-response) -8. [Parse DHA-Report data. Take appropriate policy action based on evaluation results](#take-policy-action) +1. [Verify HTTPS access](#verify-access) +2. [Assign an enterprise trusted DHA-Service](#assign-trusted-dha-service) +3. [Instruct client to prepare DHA-data for verification](#prepare-health-data) +4. [Take action based on the clients response](#take-action-client-response) +5. [Instruct the client to forward DHA-data for verification](#forward-health-attestation) +6. [Post DHA-data to DHA-service](#forward-data-to-has) +7. [Receive response from DHA-service](#receive-has-response) +8. [Parse DHA-Report data. Take appropriate policy action based on evaluation results](#take-policy-action) Each step is described in detail in the following sections of this topic. @@ -638,7 +648,7 @@ Each step is described in detail in the following sections of this topic. Validate that both the MDM server and the device (MDM client) can access has.spserv.microsoft.com using the TCP protocol over port 443 (HTTPS). -You can use OpenSSL to validate access to DHA-Service. Here is a sample OpenSSL command and the response that was generated by DHA-Service: +You can use OpenSSL to validate access to DHA-Service. Here's a sample OpenSSL command and the response that was generated by DHA-Service: ```console PS C:\openssl> ./openssl.exe s_client -connect has.spserv.microsoft.com:443 @@ -688,6 +698,7 @@ SSL-Session: ### Step 2: Assign an enterprise trusted DHA-Service There are three types of DHA-Service: + - Device Health Attestation – Cloud (owned and operated by Microsoft) - Device Health Attestation – On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premises) - Device Health Attestation - Enterprise-Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise-managed cloud) @@ -736,15 +747,14 @@ The following example shows a sample call that triggers collection and verificat ``` -### Step 4: Take action based on the clients response - +### Step 4: Take action based on the client's response After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take. - If the response is HEALTHATTESTATION\_CERT_RETRIEVAL_COMPLETE (3) then proceed to the next section. - If the response is HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED (1) or HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED (0) wait for an alert, then proceed to the next section. -Here is a sample alert that is issued by DHA_CSP: +Here's a sample alert that is issued by DHA_CSP: ```xml @@ -762,14 +772,14 @@ Here is a sample alert that is issued by DHA_CSP: ``` -- If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). + +- If the response to the status node isn't 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). ### Step 5: Instruct the client to forward health attestation data for verification - Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device. -Here is an example: +Here's an example: ```xml @@ -823,24 +833,24 @@ When the MDM-Server receives the above data, it must: - Forward (HTTP Post) the XML data struct (including the nonce that was appended in the previous step) to the assigned DHA-Service that runs on: - - DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3 - - DHA-OnPrem or DHA-EMC: https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3 - + - DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: [https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3](https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3) + - DHA-OnPrem or DHA-EMC: [https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3](https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3) ### Step 7: Receive response from the DHA-service When the Microsoft Device Health Attestation Service receives a request for verification, it performs the following steps: + - Decrypts the encrypted data it receives. -- Validates the data it has received -- Creates a report, and shares the evaluation results to the MDM server via SSL in XML format +- Validates the data it has received. +- Creates a report, and shares the evaluation results to the MDM server via SSL in XML format. ### Step 8: Take appropriate policy action based on evaluation results After the MDM server receives the verified data, the information can be used to make policy decisions by evaluating the data. Some possible actions would be: -- Allow the device access. -- Allow the device to access the resources, but flag the device for further investigation. -- Prevent a device from accessing resources. +- Allow the device access. +- Allow the device to access the resources, but flag the device for further investigation. +- Prevent a device from accessing resources. The following list of data points is verified by the DHA-Service in DHA-Report version 3: @@ -890,8 +900,8 @@ If AIKPresent = True (1), then allow access. If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets +- Disallow all access. +- Disallow access to HBI assets. - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. @@ -911,34 +921,34 @@ Data Execution Prevention (DEP) Policy defines is a set of hardware and software DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script: -- To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff** -- To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn** +- To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff** +- To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn** If DEPPolicy = 1 (On), then allow access. If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. -- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. +- Disallow all access. +- Disallow access to HBI assets. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. +- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BitLockerStatus** (at boot time) -When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation. +When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation. -Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen. +Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer isn't tampered with, even if it's left unattended, lost, or stolen. -If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer. +If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys can't be accessed until the TPM has verified the state of the computer. If BitLockerStatus = 1 (On), then allow access. If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. -- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. +- Disallow all access.. +- Disallow access to HBI assets.. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. +- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootManagerRevListVersion** @@ -948,23 +958,23 @@ If BootManagerRevListVersion = [CurrentVersion], then allow access. If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI and MBI assets -- Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. +- Disallow all access.. +- Disallow access to HBI and MBI assets.. +- Place the device in a watch list to monitor the device more closely for potential risks. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityRevListVersion** -This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action. +This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it's exposed to security risks (revoked) and enforces an appropriate policy action. If CodeIntegrityRevListVersion = [CurrentVersion], then allow access. If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI and MBI assets -- Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. +- Disallow all access.. +- Disallow access to HBI and MBI assets.. +- Place the device in a watch list to monitor the device more closely for potential risks. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **SecureBootEnabled** @@ -974,10 +984,10 @@ If SecureBootEnabled = 1 (True), then allow access. If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. -- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. +- Disallow all access. +- Disallow access to HBI assets. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. +- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootDebuggingEnabled** @@ -985,17 +995,17 @@ Boot debug-enabled points to a device that is used in development and testing. D Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script: -- To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off** -- To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on** +- To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off**. +- To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on**. If BootdebuggingEnabled = 0 (False), then allow access. If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. +- Disallow all access. +- Disallow access to HBI assets. +- Place the device in a watch list to monitor the device more closely for potential risks. +- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. **OSKernelDebuggingEnabled** @@ -1005,10 +1015,10 @@ If OSKernelDebuggingEnabled = 0 (False), then allow access. If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. +- Disallow all access. +- Disallow access to HBI assets. +- Place the device in a watch list to monitor the device more closely for potential risks. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityEnabled** @@ -1022,28 +1032,28 @@ If CodeIntegrityEnabled = 1 (True), then allow access. If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. -- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. +- Disallow all access. +- Disallow access to HBI assets. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. +- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **TestSigningEnabled** -When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot. +When test signing is enabled, the device doesn't enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot. Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script: -- To disable boot debugging, type **bcdedit.exe /set {current} testsigning off** -- To enable boot debugging, type **bcdedit.exe /set {current} testsigning on** +- To disable boot debugging, type **bcdedit.exe /set {current} testsigning off**. +- To enable boot debugging, type **bcdedit.exe /set {current} testsigning on**. If TestSigningEnabled = 0 (False), then allow access. If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI and MBI assets -- Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. +- Disallow all access. +- Disallow access to HBI and MBI assets. +- Place the device in a watch list to monitor the device more closely for potential risks. +- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. **SafeMode** @@ -1053,9 +1063,9 @@ If SafeMode = 0 (False), then allow access. If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. +- Disallow all access. +- Disallow access to HBI assets. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **WinPE** @@ -1067,7 +1077,7 @@ If WinPE = 1 (True), then limit access to remote resources that are required for **ELAMDriverLoaded** (Windows Defender) -To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize. +To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize. In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot. @@ -1077,9 +1087,9 @@ If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. +- Disallow all access. +- Disallow access to HBI assets. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **Bcdedit.exe /set {current} vsmlaunchtype auto** @@ -1087,9 +1097,9 @@ If ELAMDriverLoaded = 1 (True), then allow access. If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. +- Disallow all access. +- Disallow access to HBI assets. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **VSMEnabled** @@ -1102,8 +1112,8 @@ VSM can be enabled by using the following command in WMI or a PowerShell script: If VSMEnabled = 1 (True), then allow access. If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets +- Disallow all access. +- Disallow access to HBI assets. - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue **PCRHashAlgorithmID** @@ -1118,7 +1128,7 @@ If reported BootAppSVN equals an accepted value, then allow access. If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies: -- Disallow all access +- Disallow all access. - Direct the device to an enterprise honeypot, to further monitor the device's activities. **BootManagerSVN** @@ -1129,7 +1139,7 @@ If reported BootManagerSVN equals an accepted value, then allow access. If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies: -- Disallow all access +- Disallow all access. - Direct the device to an enterprise honeypot, to further monitor the device's activities. **TPMVersion** @@ -1142,9 +1152,9 @@ This attribute identifies the version of the TPM that is running on the attested Based on the reply you receive from TPMVersion node: - If reported TPMVersion equals an accepted value, then allow access. -- If reported TPMVersion does not equal an accepted value, then take one of the following actions that align with your enterprise policies: - - Disallow all access - - Direct the device to an enterprise honeypot, to further monitor the device's activities. +- If reported TPMVersion doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: + - Disallow all access. + - Direct the device to an enterprise honeypot, to further monitor the device's activities. **PCR0** @@ -1152,24 +1162,24 @@ The measurement that is captured in PCR[0] typically represents a consistent vie Enterprise managers can create an allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison. -If your enterprise does not have a allow list of accepted PCR[0] values, then take no action. +If your enterprise doesn't have a allow list of accepted PCR[0] values, then take no action. If PCR[0] equals an accepted allow list value, then allow access. -If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies: +If PCR[0] doesn't equal any accepted listed value, then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Direct the device to an enterprise honeypot, to further monitor the device's activities. +- Disallow all access. +- Direct the device to an enterprise honeypot, to further monitor the device's activities. **SBCPHash** SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs. -If SBCPHash is not present, or is an accepted allow-listed value, then allow access. +If SBCPHash isn't present, or is an accepted allow-listed value, then allow access. -If SBCPHash is present in DHA-Report, and is not an allow-listed value, then take one of the following actions that align with your enterprise policies: +If SBCPHash is present in DHA-Report, and isn't an allow-listed value, then take one of the following actions that align with your enterprise policies: -- Disallow all access +- Disallow all access. - Place the device in a watch list to monitor the device more closely for potential risks. **CIPolicy** @@ -1180,7 +1190,7 @@ If CIPolicy is not present, or is an accepted allow-listed value, then allow acc If CIPolicy is present and is not an allow-listed value, then take one of the following actions that align with your enterprise policies: -- Disallow all access +- Disallow all access. - Place the device in a watch list to monitor the device more closely for potential risks. **BootRevListInfo** @@ -1191,7 +1201,7 @@ If reported BootRevListInfo version equals an accepted value, then allow access. If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies: -- Disallow all access +- Disallow all access. - Direct the device to an enterprise honeypot, to further monitor the device's activities. **OSRevListInfo** @@ -1202,7 +1212,7 @@ If reported OSRevListInfo version equals an accepted value, then allow access. If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies: -- Disallow all access +- Disallow all access. - Direct the device to an enterprise honeypot, to further monitor the device's activities. **HealthStatusMismatchFlags** @@ -1241,13 +1251,13 @@ Error code: 8 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL Error description: Deprecated in Windows 10, version 1607. Error code: 9 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION -Error description: Invalid TPM version (TPM version is not 1.2 or 2.0) +Error description: Invalid TPM version (TPM version isn't 1.2 or 2.0) Error code: 10 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL -Error description: Nonce was not found in the registry. +Error description: Nonce wasn't found in the registry. Error code: 11 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL -Error description: Correlation ID was not found in the registry. +Error description: Correlation ID wasn't found in the registry. Error code: 12 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL Error description: Deprecated in Windows 10, version 1607. @@ -1331,7 +1341,7 @@ Error code: 400 | Error name: Bad_Request_From_Client Error description: DHA-CSP has received a bad (malformed) attestation request. Error code: 404 | Error name: Endpoint_Not_Reachable -Error description: DHA-Service is not reachable by DHA-CSP +Error description: DHA-Service isn't reachable by DHA-CSP ### DHA-Report V3 schema diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md index b50647fabd..eccd59cf77 100644 --- a/windows/client-management/mdm/messaging-csp.md +++ b/windows/client-management/mdm/messaging-csp.md @@ -1,6 +1,6 @@ --- title: Messaging CSP -description: Use the Messaging configuration service provider (CSP) to configure the ability to get text messages audited on a mobile device. +description: Learn how to use the Messaging configuration service provider (CSP) to configure the ability to get text messages audited on a mobile device. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -30,37 +30,36 @@ Messaging **./User/Vendor/MSFT/Messaging** -

    Root node for the Messaging configuration service provider.

    +Root node for the Messaging configuration service provider. **AuditingLevel** -

    Turns on the "Text" auditing feature.

    -

    The following list shows the supported values:

    -
      -
    • 0 (Default) - Off
      • -
    • 1 - On
      • -
    -

    Supported operations are Get and Replace.

    +Turns on the "Text" auditing feature. +The following list shows the supported values: + +- 0 (Default) - Off +- 1 - On + +Supported operations are Get and Replace. **Auditing** -

    Node for auditing.

    -

    Supported operation is Get.

    +Node for auditing. +Supported operation is Get. **Messages** -

    Node for messages.

    -

    Supported operation is Get.

    +Node for messages. +Supported operation is Get. **Count** -

    The number of messages to return in the Data setting. The default is 100.

    -

    Supported operations are Get and Replace.

    +The number of messages to return in the Data setting. The default is 100. +Supported operations are Get and Replace. **RevisionId** -

    Retrieves messages whose revision ID is greater than RevisionId.

    -

    Supported operations are Get and Replace.

    +Retrieves messages whose revision ID is greater than RevisionId. +Supported operations are Get and Replace. **Data** -

    The JSON string of text messages on the device.

    -

    Supported operations are Get and Replace.

    - +The JSON string of text messages on the device. +Supported operations are Get and Replace. **SyncML example** @@ -111,3 +110,7 @@ Messaging     ``` + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file