deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

CSP Windows 11 updates -part3

Browse Source
This commit is contained in:
Alekhya Jupudi 2022-04-04 13:45:26 +05:30
parent 087acdbbdf
commit 057587225d
9 changed files with 522 additions and 349 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
windows/client-management/mdm/devicemanageability-csp.md
View File

@ -1,6 +1,6 @@
---
title: DeviceManageability CSP
description: The DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device.
description: Learn how the DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device.
ms.assetid: FE563221-D5B5-4EFD-9B60-44FE4066B0D2
ms.reviewer:
manager: dansimp
@ -14,10 +14,19 @@ ms.date: 11/01/2017
# DeviceManageability CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DeviceManageability configuration service provider (CSP) is used to retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information.
For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that both the paths return the same information.
The following shows the DeviceManageability configuration service provider in a tree format.
```
@ -30,6 +39,7 @@ DeviceManageability
------------ConfigInfo (Added in Windows 10, version 1709)
------------EnrollmentInfo (Added in Windows 10, version 1709)
```
<a href="" id="--device-vendor-msft-devicemanageability"></a>**./Device/Vendor/MSFT/DeviceManageability**
Root node to group information about runtime MDM configuration capability on the target device.
@ -46,18 +56,24 @@ Added in Windows 10, version 1709. Interior node.
Added in Windows 10, version 1709. Provider ID of the configuration source. ProviderID should be unique among the different config sources.
<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/ConfigInfo**
Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to be used during sync session.
Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to use during sync session.
ConfigInfo value can only be set by the provider that owns the ProviderID. The value is readable by other config sources.
Data type is string. Supported operations are Add, Get, Delete, and Replace.
Data type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/EnrollmentInfo**
Added in Windows 10, version 1709. Enrollment information string value set by the configuration source and sent during MDM enrollment. It is readable by MDM server during sync session.
Data type is string. Supported operations are Add, Get, Delete, and Replace. 
Added in Windows 10, version 1709. Enrollment information string value set by the configuration source and sent during MDM enrollment. It's readable by MDM server during sync session.
Data type is string.
Supported operations are Add, Get, Delete, and Replace. 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

124
windows/client-management/mdm/devicestatus-csp.md
View File

@ -1,6 +1,6 @@
---
title: DeviceStatus CSP
description: The DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
ms.assetid: 039B2010-9290-4A6E-B77B-B2469B482360
ms.reviewer:
manager: dansimp
@ -14,6 +14,15 @@ ms.date: 06/25/2021
# DeviceStatus CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
@ -63,15 +72,16 @@ DeviceStatus
--------VirtualizationBasedSecurityStatus
--------LsaCfgCredGuardStatus
```
<a href="" id="devicestatus"></a>**DeviceStatus**
The root node for the DeviceStatus configuration service provider.
<a href="" id="devicestatus-securebootstate"></a>**DeviceStatus/SecureBootState**
Indicates whether secure boot is enabled. The value is one of the following:
- 0 - Not supported
- 1 - Enabled
- 2 - Disabled
- 0 - Not supported
- 1 - Enabled
- 2 - Disabled
Supported operation is Get.
@ -138,9 +148,9 @@ Supported operation is Get.
<a href="" id="devicestatus-networkidentifiers-macaddress-type"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**
Type of network connection. The value is one of the following:
- 2 - WLAN (or other Wireless interface)
- 1 - LAN (or other Wired interface)
- 0 - Unknown
- 2 - WLAN (or other Wireless interface)
- 1 - LAN (or other Wired interface)
- 0 - Unknown
Supported operation is Get.
@ -150,8 +160,8 @@ Node for the compliance query.
<a href="" id="devicestatus-compliance-encryptioncompliance"></a>**DeviceStatus/Compliance/EncryptionCompliance**
Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following:
- 0 - Not encrypted
- 1 - Encrypted
- 0 - Not encrypted
- 1 - Encrypted
Supported operation is Get.
@ -179,8 +189,9 @@ Supported operation is Get.
Added in Windows, version 1803. Read only node that specifies the device mode.
Valid values:
- 0 - The device is in standard configuration
- 1 - The device is in S mode configuration
- 0 - The device is in standard configuration.
- 1 - The device is in S mode configuration.
Supported operation is Get.
@ -194,15 +205,16 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi
Valid values:
- 0 - The security software reports that it is not the most recent version.
- 1 (default) - The security software reports that it is the most recent version.
- 2 Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesnt exist.)
- 0 - The security software reports that it isn't the most recent version.
- 1 (default) - The security software reports that it's the most recent version.
- 2 Not applicable. It is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
Supported operation is Get.
If more than one antivirus provider is active, this node returns:
- 1 If every active antivirus provider has a valid signature status.
- 0 If any of the active antivirus providers has an invalid signature status.
- 1 If every active antivirus provider has a valid signature status.
- 0 If any of the active antivirus providers has an invalid signature status.
This node also returns 0 when no antivirus provider is active.
@ -211,45 +223,46 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi
Valid values:
- 0 Antivirus is on and monitoring.
- 1 Antivirus is disabled.
- 2 Antivirus is not monitoring the device/PC or some options have been turned off.
- 3 (default) Antivirus is temporarily not completely monitoring the device/PC.
- 4 Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesnt exist.)
- 0 Antivirus is on and monitoring.
- 1 Antivirus is disabled.
- 2 Antivirus isn't monitoring the device/PC or some options have been turned off.
- 3 (default) Antivirus is temporarily not completely monitoring the device/PC.
- 4 Antivirus not applicable for this device. It is returned for devices like the phone that don't have an antivirus (where the API doesnt exist).
Supported operation is Get.
<a href="" id="devicestatus-antispyware"></a>**DeviceStatus/Antispyware**
Added in Windows, version 1607. Node for the antispyware query.
Added in Windows, version 1607. Node for the anti-spyware query.
Supported operation is Get.
<a href="" id="devicestatus-antispyware-signaturestatus"></a>**DeviceStatus/Antispyware/SignatureStatus**
Added in Windows, version 1607. Integer that specifies the status of the antispyware signature.
Added in Windows, version 1607. Integer that specifies the status of the anti-spyware signature.
Valid values:
- 0 - The security software reports that it is not the most recent version.
- 1 - The security software reports that it is the most recent version.
- 2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesnt exist.)
- 0 - The security software reports that it isn't the most recent version.
- 1 - The security software reports that it's the most recent version.
- 2 - Not applicable. It is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
Supported operation is Get.
If more than one antispyware provider is active, this node returns:
- 1 If every active antispyware provider has a valid signature status.
- 0 If any of the active antispyware providers has an invalid signature status.
If more than one anti-spyware provider is active, this node returns:
This node also returns 0 when no antispyware provider is active.
- 1 If every active anti-spyware provider has a valid signature status.
- 0 If any of the active anti-spyware providers has an invalid signature status.
This node also returns 0 when no anti-spyware provider is active.
<a href="" id="devicestatus-antispyware-status"></a>**DeviceStatus/Antispyware/Status**
Added in Windows, version 1607. Integer that specifies the status of the antispyware.
Added in Windows, version 1607. Integer that specifies the status of the anti-spyware.
Valid values:
- 0 - The status of the security provider category is good and does not need user attention.
- 1 - The status of the security provider category is not monitored by Windows Security.
- 0 - The status of the security provider category is good and doesn't need user attention.
- 1 - The status of the security provider category isn't monitored by Windows Security.
- 2 - The status of the security provider category is poor and the computer may be at risk.
- 3 - The security provider category is in snooze state. Snooze indicates that the Windows Security Service is not actively protecting the computer.
- 3 - The security provider category is in snooze state. Snooze indicates that the Windows Security Service isn't actively protecting the computer.
Supported operation is Get.
@ -263,11 +276,11 @@ Added in Windows, version 1607. Integer that specifies the status of the firewa
Valid values:
- 0 Firewall is on and monitoring.
- 1 Firewall has been disabled.
- 2 Firewall is not monitoring all networks or some rules have been turned off.
- 3 (default) Firewall is temporarily not monitoring all networks.
- 4 Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesnt exist.)
- 0 Firewall is on and monitoring.
- 1 Firewall has been disabled.
- 2 Firewall isn't monitoring all networks or some rules have been turned off.
- 3 (default) Firewall is temporarily not monitoring all networks.
- 4 Not applicable. This is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
Supported operation is Get.
@ -292,21 +305,21 @@ Added in Windows, version 1607. Integer that specifies the status of the batter
Supported operation is Get.
<a href="" id="devicestatus-battery-estimatedchargeremaining"></a>**DeviceStatus/Battery/EstimatedChargeRemaining**
Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. It is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
Supported operation is Get.
<a href="" id="devicestatus-battery-estimatedruntime"></a>**DeviceStatus/Battery/EstimatedRuntime**
Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. It is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
Supported operation is Get.
<a href="" id="devicestatus-domainname"></a>**DeviceStatus/DomainName**
Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device is not domain-joined, it returns an empty string.
Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device isn't domain-joined, it returns an empty string.
Supported operation is Get.
@ -318,24 +331,24 @@ Supported operation is Get.
<a href="" id="devicestatus-deviceguard-virtualizationbasedsecurityhwreq"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq**
Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask.
- 0x0: System meets hardware configuration requirements
- 0x1: SecureBoot required
- 0x2: DMA Protection required
- 0x4: HyperV not supported for Guest VM
- 0x8: HyperV feature is not available
- 0x0: System meets hardware configuration requirements.
- 0x1: SecureBoot required.
- 0x2: DMA Protection required.
- 0x4: HyperV not supported for Guest VM.
- 0x8: HyperV feature isn't available.
Supported operation is Get.
<a href="" id="devicestatus-deviceguard-virtualizationbasedsecuritystatus"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**
Added in Windows, version 1709. Virtualization-based security status. Value is one of the following:
- 0 - Running
- 1 - Reboot required
- 2 - 64 bit architecture required
- 2 - 64-bit architecture required
- 3 - Not licensed
- 4 - Not configured
- 5 - System doesn't meet hardware requirements
- 42 Other. Event logs in Microsoft-Windows-DeviceGuard have more details
- 42 Other. Event logs in Microsoft-Windows-DeviceGuard have more details.
Supported operation is Get.
@ -346,7 +359,10 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s
- 1 - Reboot required
- 2 - Not licensed for Credential Guard
- 3 - Not configured
- 4 - VBS not running
- 4 - VBS not running
Supported operation is Get.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

47
windows/client-management/mdm/devinfo-csp.md
View File

@ -1,6 +1,6 @@
---
title: DevInfo CSP
description: Learn now the DevInfo configuration service provider handles the managed object which provides device information to the OMA DM server.
description: Learn how the DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server.
ms.assetid: d3eb70db-1ce9-4c72-a13d-651137c1713c
ms.reviewer:
manager: dansimp
@ -14,17 +14,25 @@ ms.date: 06/26/2017
# DevInfo CSP
The table below shows the applicability of Windows:
The DevInfo configuration service provider handles the managed object which provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DevInfo configuration service provider handles the managed object, which provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
 
For the DevInfo CSP, you can't use the Replace command unless the node already exists.
For the DevInfo CSP, you cannot use the Replace command unless the node already exists.
The following shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol isn't supported by this configuration service provider.
The following shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol is not supported by this configuration service provider.
```
.
DevInfo
@ -34,6 +42,7 @@ DevInfo
----DmV
----Lang
```
<a href="" id="devid"></a>**DevId**
Required. Returns an application-specific global unique device identifier by default.
@ -41,25 +50,22 @@ Supported operation is Get.
The **UseHWDevID** parm of the [DMAcc configuration service provider](dmacc-csp.md) or DMS configuration service provider can be used to modify the return value to instead return a hardware device ID as follows:
- For GSM phones, the IMEI is returned.
- For CDMA phones, the MEID is returned.
- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns an application specific global unique identifier (GUID) irrespective of the value of UseHWDevID.
- For GSM phones, the IMEI is returned.
- For CDMA phones, the MEID is returned.
- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns an application specific global unique identifier (GUID) irrespective of the value of UseHWDevID.
<a href="" id="man"></a>**Man**
Required. Returns the name of the OEM. For Windows 10 for desktop editions, it returns the SystemManufacturer as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemManufacturer.
If no name is found, this returns "Unknown".
If no name is found, this returns to "Unknown".
Supported operation is Get.
<a href="" id="mod"></a>**Mod**
Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10 for desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName.
Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10/Windows 11 desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName.
If no name is found, this returns "Unknown".
If no name is found, this returns to "Unknown".
Supported operation is Get.
@ -75,15 +81,4 @@ Supported operation is Get.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

164
windows/client-management/mdm/diagnosticlog-csp.md
View File

@ -14,17 +14,29 @@ ms.date: 11/19/2019
# DiagnosticLog CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DiagnosticLog configuration service provider (CSP) provides the following feature areas:
- [DiagnosticArchive area](#diagnosticarchive-area). Capture and upload event logs, log files, and registry values for troubleshooting.
- [Policy area](#policy-area). Configure Windows event log policies, such as maximum log size.
- [EtwLog area](#etwlog-area). Control ETW trace sessions.
- [DeviceStateData area](#devicestatedata-area). Provide additional device information.
- [FileDownload area](#filedownload-area). Pull trace and state data directly from the device.
- [DiagnosticArchive area](#diagnosticarchive-area): Captures and uploads event logs, log files, and registry values for troubleshooting.
- [Policy area](#policy-area): Configures Windows event log policies, such as maximum log size.
- [EtwLog area](#etwlog-area): Controls ETW trace sessions.
- [DeviceStateData area](#devicestatedata-area): Provides additional device information.
- [FileDownload area](#filedownload-area): Pulls trace and state data directly from the device.
The following are the links to different versions of the DiagnosticLog CSP DDF files:
- [DiagnosticLog CSP version 1.4](diagnosticlog-ddf.md#version-1-4)
- [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3)
- [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2)
- [DiagnosticLog CSP version 1.4](diagnosticlog-ddf.md#version-1-4)
- [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3)
- [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2)
The following shows the DiagnosticLog CSP in tree format.
@ -68,7 +80,9 @@ Rest of the nodes in the DiagnosticLog CSP are described within their respective
## DiagnosticArchive area
The DiagnosticArchive functionality within the DiagnosticLog CSP is used to trigger devices to gather troubleshooting data into a zip archive file and upload that archive to cloud storage. DiagnosticArchive is designed for ad-hoc troubleshooting scenarios, such as an IT admin investigating an app installation failure using a collection of event log events, registry values, and app or OS log files.
The DiagnosticArchive functionality within the DiagnosticLog CSP is used to trigger devices to gather troubleshooting data into a zip archive file and upload that archive to cloud storage.
DiagnosticArchive is designed for ad-hoc troubleshooting scenarios, such as an IT admin investigating an app installation failure using a collection of event log events, registry values, and app or OS log files.
> [!NOTE]
> DiagnosticArchive is a "break glass" backstop option for device troubleshooting. Diagnostic data such as log files can grow to many gigabytes. Gathering, transferring, and storing large amounts of data may burden the user's device, the network and cloud storage. Management servers invoking DiagnosticArchive must take care to minimize data gathering frequency and scope.
@ -90,7 +104,7 @@ The data type is string.
Expected value:
Set and Execute are functionality equivalent, and each accepts a `Collection` XML snippet (as a string) describing what data to gather and where to upload it. The results are zipped and uploaded to the specified SasUrl. The zipped filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip".
With Windows 10 KB5011543, Windows 11 KB5011563 we have added support for an additional element which will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML.
With Windows 10 KB5011543, Windows 11 KB5011563, we have added support for an extra element that will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML.
The following is an example of a `Collection` XML.
@ -110,15 +124,17 @@ The following is an example of a `Collection` XML.
</Collection>
```
The XML should include the following elements within the `Collection` element:
**ID**
**ID**:
The ID value uniquely identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value. The CSP expects the value to be populated when the request is received, so it must be generated by the IT admin or the management server.
**SasUrl**
The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It is the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could:
- Provision cloud storage reachable by the target device, such as a Microsoft Azure blob storage container
- Generate a Shared Access Signature URL granting the possessor (the target device) time-limited write access to the storage container
**SasUrl**:
The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It's the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could:
- Provision cloud storage reachable by the target device, such as a Microsoft Azure blob storage container.
- Generate a Shared Access Signature URL granting the possessor (the target device) time-limited write access to the storage container.
- Pass this value to the CSP on the target device through the `Collection` XML as the `SasUrl` value.
**One or more data gathering directives, which may include any of the following:**
@ -132,12 +148,14 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- **Events**
- Exports all events from the named Windows event log.
- Expected input value: A named event log channel such as "Application" or "Microsoft-Windows-DeviceGuard/Operational".
- Output format: Creates a .evtx file.
- Output format: Creates an .evtx file.
- **Commands**
- This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives are not a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files.
- This directive type allows the execution of specific commands such as ipconfig.exe.
> [!Note]
>The DiagnosticArchive and the Commands directives are not a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files.
- Expected input value: The full command line including path and any arguments, such as `%windir%\\system32\\ipconfig.exe /all`.
- Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands which may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter.
- Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands that may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter.
- Privacy guardrails: To enable diagnostic data capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only the following commands are allowed:
- %windir%\\system32\\certutil.exe
- %windir%\\system32\\dxdiag.exe
@ -183,7 +201,6 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- Flattens folder structure, instead of having individual folders for each directive in the XML.
- The value “Flattened” is the only supported value for the OutputFileFormat. If the OutputFileFormat is absent in the XML, or if explicitly set to something other than Flattened, it will leave the file structure in old structure.
<a href="" id="diagnosticarchive-archiveresults"></a>**DiagnosticArchive/ArchiveResults**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run.
@ -191,7 +208,7 @@ The supported operation is Get.
The data type is string.
A Get to the above URI will return the results of the data gathering for the last diagnostics request. For the example above it returns:
A Get to the above URI will return the results of the data gathering for the last diagnostics request. For the example above:
``` xml
<SyncML>
@ -241,7 +258,7 @@ Each data gathering node is annotated with the HRESULT of the action and the col
### Making use of the uploaded data
The zip archive which is created and uploaded by the CSP contains a folder structure like the following:
The zip archive that is created and uploaded by the CSP contains a folder structure like the following:
```powershell
PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z
@ -254,6 +271,7 @@ la--- 1/4/2021 2:45 PM 1
la--- 1/4/2021 2:45 PM 2
la--- 12/2/2020 6:27 PM 2701 results.xml
```
Each data gathering directive from the original `Collection` XML corresponds to a folder in the output.
For example, the first directive was:
@ -262,7 +280,8 @@ For example, the first directive was:
<RegistryKey HRESULT="0">HKLM\Software\Policies</RegistryKey>
</Collection>
```
then folder `1` will contain the corresponding `export.reg` file.
Then, folder `1` will contain the corresponding `export.reg` file.
The `results.xml` file is the authoritative map to the output. It includes a status code for each directive. The order of the directives in the file corresponds to the order of the output folders. Using `results.xml` the administrator can see what data was gathered, what failures may have occurred, and which folders contain which output. For example, the following `results.xml` content indicates that registry export of HKLM\Software\Policies was successful and the data can be found in folder `1`. It also indicates that `netsh.exe wlan show profiles` command failed.
@ -275,10 +294,13 @@ The `results.xml` file is the authoritative map to the output. It includes a sta
```
Administrators can apply automation to 'results.xml' to create their own preferred views of the data. For example, the following PowerShell one-liner extracts from the XML an ordered list of the directives with status code and details.
```powershell
Select-XML -Path results.xml -XPath '//RegistryKey | //Command | //Events | //FoldersFiles' | Foreach-Object -Begin {$i=1} -Process { [pscustomobject]@{DirectiveNumber=$i; DirectiveHRESULT=$_.Node.HRESULT; DirectiveInput=$_.Node.('#text')} ; $i++}
```
This example produces output similar to the following:
```
DirectiveNumber DirectiveHRESULT DirectiveInput
--------------- ---------------- --------------
@ -335,7 +357,8 @@ foreach( $element in $resultElements )
#endregion
Remove-Item -Path $diagnosticArchiveTempUnzippedPath -Force -Recurse
```
That example script produces a set of files similar to the following, which can be a useful view for an administrator interactively browsing the results without needing to navigate any sub-folders or refer to `results.xml` repeatedly:
That example script produces a set of files similar to the following, which can be a useful view for an administrator interactively browsing the results without needing to navigate any subfolders or to refer `results.xml` repeatedly:
```powershell
PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip_formatted | format-table Length,Name
@ -375,8 +398,8 @@ Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to rep
Supported operations are Add, Delete, and Get.
Add **Channel**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -398,7 +421,9 @@ Add **Channel**
</SyncBody>
</SyncML>
```
Delete **Channel**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -416,7 +441,9 @@ Delete **Channel**
</SyncBody>
</SyncML>
```
Get **Channel**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -434,18 +461,20 @@ Get **Channel**
</SyncBody>
</SyncML>
```
<a href="" id="policy-channels-channelname-maximumfilesize"></a>**Policy/Channels/_ChannelName_/MaximumFileSize**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies the maximum size of the log file in megabytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte and 2 terabytes in megabyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.
If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.
Supported operations are Add, Delete, Get, and Replace.
The data type is integer.
Add **MaximumFileSize**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -470,6 +499,7 @@ Add **MaximumFileSize**
```
Delete **MaximumFileSize**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -487,7 +517,9 @@ Delete **MaximumFileSize**
</SyncBody>
</SyncML>
```
Get **MaximumFileSize**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -507,6 +539,7 @@ Get **MaximumFileSize**
```
Replace **MaximumFileSize**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -542,6 +575,7 @@ Default string is as follows:
`https://docs.microsoft.com/windows/'desktop/WES/eventmanifestschema-channeltype-complextype`
Add **SDDL**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -566,6 +600,7 @@ Add **SDDL**
```
Delete **SDDL**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
@ -586,6 +621,7 @@ Delete **SDDL**
```
Get **SDDL**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -605,6 +641,7 @@ Get **SDDL**
```
Replace **SDDL**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -636,14 +673,15 @@ Supported operations are Add, Delete, Get, and Replace.
The data type is string.
The following are the possible values:
- Truncate — When the log file reaches its maximum file size, new events are not written to the log and are lost.
- Overwrite — When the log file reaches its maximum file size, new events overwrite old events.
- Archive — When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value is not set, the new file is saved in the same directory as current log file.
If you disable or do not configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but do not replace local configuration.
- Truncate—When the log file reaches its maximum file size, new events aren't written to the log and are lost.
- Overwrite—When the log file reaches its maximum file size, new events overwrite old events.
- Archive—When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value isn't set, the new file is saved in the same directory as current log file.
If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration.
Add **ActionWhenFull**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -668,6 +706,7 @@ Add **ActionWhenFull**
```
Delete **ActionWhenFull**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -687,6 +726,7 @@ Delete **ActionWhenFull**
```
Get **ActionWhenFull**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -706,6 +746,7 @@ Get **ActionWhenFull**
```
Replace **ActionWhenFull**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -737,12 +778,14 @@ Supported operations are Add, Delete, Get, and Replace.
The data type is boolean.
The following are the possible values:
- TRUE — Enables the channel.
- FALSE — Disables the channel.
If you disable or do not configure this policy setting, the locally configured value is used as default.
- TRUE—Enables the channel.
- FALSE—Disables the channel.
If you disable or don't configure this policy setting, the locally configured value is used as default.
Get **Enabled**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -762,6 +805,7 @@ Get **Enabled**
```
Add **Enabled**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -786,6 +830,7 @@ Add **Enabled**
```
Delete **Enabled**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -805,6 +850,7 @@ Delete **Enabled**
```
Replace **Enabled**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -831,6 +877,7 @@ Replace **Enabled**
## EtwLog area
The Event Tracing for Windows (ETW) log feature of the DiagnosticLog CSP is used to control the following types of event tracing:
- [Collector-based tracing](#collector-based-tracing)
- [Channel-based tracing](#channel-based-tracing)
@ -842,31 +889,31 @@ This type of event tracing collects event data from a collection of registered E
An event collector is a container of registered ETW providers. Users can add or delete a collector node and register or unregister multiple providers in this collector.
The ***CollectorName*** must be unique within the CSP and must not be a valid event channel name or a provider GUID.
The *CollectorName* must be unique within the CSP and must not be a valid event channel name or a provider GUID.
The DiagnosticLog CSP maintains a log file for each collector node and the log file is overwritten if a start command is triggered again on the same collector node.
For each collector node, the user can:
- Start or stop the session with all registered and enabled providers
- Query session status
- Change trace log file mode
- Change trace log file size limit
- Start or stop the session with all registered and enabled providers.
- Query session status.
- Change trace log file mode.
- Change trace log file size limit.
The configurations log file mode and log file size limit does not take effect while trace session is in progress. These are applied when user stops the current session and then starts it again for this collector.
The configurations log file mode and log file size limit doesn't take effect while trace session is in progress. These are applied when user stops the current session and then starts it again for this collector.
For each registered provider in this collector, the user can:
- Specify keywords to filter events from this provider
- Change trace level to filter events from this provider
- Enable or disable the provider in the trace session
- Specify keywords to filter events from this provider.
- Change trace level to filter events from this provider.
- Enable or disable the provider in the trace session.
The changes on **State**, **Keywords**, and **TraceLevel** takes effect immediately while trace session is in progress.
> [!NOTE]
> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
### Channel-based tracing
### Channel-based tracing
The type of event tracing exports event data from a specific channel. This is only supported on the desktop.
@ -876,9 +923,9 @@ The DiagnosticLog CSP maintains a log file for each channel node and the log fil
For each channel node, the user can:
- Export channel event data into a log file (.evtx)
- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel
- Specify an XPath query to filter events while exporting the channel event data
- Export channel event data into a log file (.evtx).
- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel.
- Specify an XPath query to filter events while exporting the channel event data.
For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md).
@ -887,13 +934,13 @@ To gather diagnostics using this CSP:
1. Specify a *CollectorName* for the container of the target ETW providers.
2. (Optional) Set logging and log file parameters using the following options:
- <a href="#etwlog-collectors-collectorname-tracelogfilemode">TraceLogFileMode</a>
- <a href="#etwlog-collectors-collectorname-logfilesizelimitmb">LogFileSizeLimitMB</a>
- [TraceLogFileMode](#etwlog-collectors-collectorname-tracelogfilemode)
- [LogFileSizeLimitMB](#etwlog-collectors-collectorname-logfilesizelimitmb)
3. Indicate one or more target ETW providers by supplying its *ProviderGUID* to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
3. Indicate one or more target ETW providers by supplying its **ProviderGUID** to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
4. (Optional) Set logging and log file parameters using the following options:
- <a href="#etwlog-collectors-collectorname-providers-providerguid-tracelevel">TraceLevel</a>
- <a href="#etwlog-collectors-collectorname-providers-providerguid-keywords">Keywords</a>
- [TraceLevel](#etwlog-collectors-collectorname-providers-providerguid-tracelevel)
- [Keywords](#etwlog-collectors-collectorname-providers-providerguid-keywords)
5. Start logging using **TraceControl** EXECUTE command “START”.
6. Perform actions on the target device that will generate activity in the log files.
7. Stop logging using **TraceControl** EXECUTE command “STOP”.
@ -999,7 +1046,7 @@ The following table lists the possible values:
The supported operation is Execute.
After you have added a logging task, you can start a trace by running an Execute command on this node with the value START.
After you've added a logging task, you can start a trace by running an Execute command on this node with the value START.
To stop the trace, running an execute command on this node with the value STOP.
@ -1404,7 +1451,7 @@ Set channel **State**
## DeviceStateData area
The DeviceStateData functionality within the DiagnosticLog CSP provides additional device information.
The DeviceStateData functionality within the DiagnosticLog CSP provides more device information.
The following section describes the nodes for the DeviceStateData functionality.
@ -1439,14 +1486,14 @@ The supported value is Execute.
## FileDownload area
The FileDownload feature of the DiagnosticLog CSP enables a management server to pull data directly from the device. In the FileDownload context the client and server roles are conceptually reversed, with the management server acting as a client to download the data from the managed device.
The FileDownload feature of the DiagnosticLog CSP enables a management server to pull data directly from the device. In the FileDownload context, the client and server roles are conceptually reversed, with the management server acting as a client to download the data from the managed device.
### Comparing FileDownload and DiagnosticArchive
Both the FileDownload and DiagnosticArchive features can be used to get data from the device to the management server, but they are optimized for different workflows.
Both the FileDownload and DiagnosticArchive features can be used to get data from the device to the management server, but they're optimized for different workflows.
- FileDownload enables the management server to directly pull byte-level trace data from the managed device. The data transfer takes place through the existing OMA-DM/SyncML context. It is typically used together with the EtwLogs feature as part of an advanced monitoring or diagnostic flow. FileDownlod requires granular orchestration by the management server, but avoids the need for dedicated cloud storage.
- DiagnosticArchive allows the management server to give the CSP a full set of instructions as single command. Based on those instructions the CSP orchestrates the work client-side to package the requested diagnostic files into a zip archive and upload that archive to cloud storage. The data transfer happens outside of the OMA-DM session, via an HTTP PUT.
- FileDownload enables the management server to directly pull byte-level trace data from the managed device. The data transfer takes place through the existing OMA-DM/SyncML context. It's typically used together with the EtwLogs feature as part of an advanced monitoring or diagnostic flow. FileDownlod requires granular orchestration by the management server, but avoids the need for dedicated cloud storage.
- DiagnosticArchive allows the management server to give the CSP a full set of instructions as single command. Based on those instructions, the CSP orchestrates the work client-side to package the requested diagnostic files into a zip archive and upload that archive to cloud storage. The data transfer happens outside of the OMA-DM session, via an HTTP PUT.
The following section describes the nodes for the FileDownload functionality.
@ -1624,6 +1671,7 @@ The supported operation is Get.
### Reading a log file
To read a log file:
1. Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**.
2. Select a log file in the Enumeration result.
3. Set **BlockSizeKB** per DM server payload limitation.
@ -1632,3 +1680,7 @@ To read a log file:
6. Get **BlockData** for upload log block.
7. Increase **BlockIndexToRead**.
8. Repeat steps 5 to 7 until **BlockIndexToRead == (BlockIndexToRead 1)**.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

81
windows/client-management/mdm/dmacc-csp.md
View File

@ -14,16 +14,24 @@ ms.date: 06/26/2017
# DMAcc CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DMAcc configuration service provider allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects. The server can use this configuration service provider to add a new account or to manage an existing account, including an account that was bootstrapped by using the [w7 APPLICATION configuration service provider](w7-application-csp.md)
> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
> [!Note]
>This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
For the DMAcc CSP, you can't use the Replace command unless the node already exists.
For the DMAcc CSP, you cannot use the Replace command unless the node already exists.
The following shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol is not supported by this configuration service provider.
The following shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol isn't supported by this configuration service provider.
```
./SyncML
@ -103,7 +111,7 @@ Required.
<a href="" id="appaddr-objectname"></a>**AppAddr/**<strong>*ObjectName*</strong>
Required. Defines the OMA DM server address. Only one server address can be configured.
When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is "1". This is the first DM address encountered in the w7 APPLICATION configuration service provider, other DM accounts are ignored.
When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element will be "1". This will be the first DM address encountered in the w7 APPLICATION configuration service provider, other DM accounts are ignored.
<a href="" id="objectname-addr"></a>***ObjectName*/Addr**
Required. Specifies the address of the OMA DM account. The type of address stored is specified by the AddrType element.
@ -125,10 +133,10 @@ Optional.
<a href="" id="port-objectname"></a>**Port/**<strong>*ObjectName*</strong>
Required. Only one port number can be configured.
When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is "1".
When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element will be "1".
<a href="" id="objectname-portnbr"></a>***ObjectName*/PortNbr**
Required. Specifies the port number of the OMA MD account address. This must be a decimal number that fits within the range of a 16-bit unsigned integer.
Required. Specifies the port number of the OMA MD account address. It must be a decimal number that fits within the range of a 16-bit unsigned integer.
Value type is string. Supported operations are Add, Get, and Replace.
@ -137,7 +145,7 @@ Optional. Specifies the application authentication preference.
A value of "BASIC" specifies that the client attempts BASIC authentication. A value of "DIGEST' specifies that the client attempts MD5 authentication.
If this value is empty, the client attempts to use the authentication mechanism negotiated in the previous session if one exists. If the value is empty, no previous session exists, and MD5 credentials exist, clients try MD5 authorization first. If the criteria are not met then the client tries BASIC authorization first.
If this value is empty, the client attempts to use the authentication mechanism negotiated in the previous session if one exists. If the value is empty, no previous session exists, and MD5 credentials exist, clients try MD5 authorization first. If the criteria are not met, then the client tries BASIC authorization first.
Value type is string. Supported operations are Add, Get, and Replace.
@ -147,7 +155,7 @@ Optional. Defines authentication settings.
<a href="" id="appauth-objectname"></a>**AppAuth/**<strong>*ObjectName*</strong>
Required. Defines one set of authentication settings.
When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is same name as the AAuthLevel value ("CLRED" or "SRVCRED").
When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element will be same name as the AAuthLevel value ("CLRED" or "SRVCRED").
<a href="" id="objectname-aauthlevel"></a>***ObjectName*/AAuthlevel**
Required. Specifies the application authentication level.
@ -176,7 +184,7 @@ Value type is string. Supported operations are Add and Replace.
<a href="" id="objectname-aauthdata"></a>***ObjectName*/AAuthData**
Optional. Specifies the next nonce used for authentication.
"Nonce" refers to a number used once. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in repeat attacks.
"Nonce" refers to a number used once. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in repeat attacks.
Value type is binary. Supported operations are Add and Replace.
@ -228,24 +236,21 @@ Value type is integer. Supported operations are Add, Get, and Replace.
<a href="" id="microsoft-protover"></a>**Microsoft/ProtoVer**
Optional. Specifies the OMA DM Protocol version that the server supports. There is no default value.
Valid values are "1.1" and "1.2". The protocol version set by this element will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this element is not specified when adding a DM server account, the latest DM protocol version that the client supports is used. Windows 10 clients support version 1.2.
Valid values are "1.1" and "1.2". The protocol version set by this element will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this element isn't specified when adding a DM server account, the latest DM protocol version that the client supports is used. Windows 10 clients support version 1.2.
Value type is string. Supported operations are Add, Get, and Replace.
<a href="" id="microsoft-role"></a>**Microsoft/Role**
Required. Specifies the role mask that the OMA DM session runs with when it communicates with the server.
If this parameter is not present, the DM session is given the role mask of the OMA DM session that the server created. The following list shows the valid security role masks and their values.
If this parameter isn't present, the DM session is given the role mask of the OMA DM session that the server created. The following list shows the valid security role masks and their values.
- 4 = SECROLE\_OPERATOR
- 4 = SECROLE\_OPERATO
- 8 = SECROLE\_MANAGE
- 16 = SECROLE\_USER\_AUT
- 128 = SECROLE\_OPERATOR\_TPS
- 8 = SECROLE\_MANAGER
- 16 = SECROLE\_USER\_AUTH
- 128 = SECROLE\_OPERATOR\_TPS
The acceptable access roles for this node cannot be more than the roles assigned to the DMAcc object.
The acceptable access roles for this node can't be more than the roles assigned to the DMAcc object.
Value type is integer. Supported operations are Get and Replace.
@ -256,20 +261,18 @@ The default value of "FALSE" specifies that an application-specific GUID is retu
A value is "TRUE" specifies that the hardware device ID will be provided for the ./DevInfo/DevID element and the Source LocURI for the OMA DM package that is sent to the server. In this case:
- For GSM phones, the IMEI is returned.
- For CDMA phones, the MEID is returned.
- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
- For GSM phones, the IMEI is returned.
- For CDMA phones, the MEID is returned.
- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
Value type is bool. Supported operations are Add, Get, and Replace.
<a href="" id="microsoft-usenonceresync"></a>**Microsoft/UseNonceResync**
Optional. Specifies whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication. The default is "FALSE".
If the authentication fails because the server nonce does not match the server nonce that is stored on the device, then the device can use the backup nonce as the server nonce. For this procedure to be successful, if the device did not authenticate with the preconfigured nonce value, the server must then use the backup nonce when sending the signed server notification message.
If the authentication fails because the server nonce doesn't match the server nonce that is stored on the device, then the device can use the backup nonce as the server nonce. For this procedure to be successful, if the device didn't authenticate with the pre-configured nonce value, the server must then use the backup nonce when sending the signed server notification message.
The default value of "FALSE" specifies that the client does not try to authenticate the notification with the backup server nonce if authentication to the stored nonce fails. A value of "TRUE" specifies that the client initiates a DM session if the backup server nonce is received after authentication failed.
The default value of "FALSE" specifies that the client doesn't try to authenticate the notification with the backup server nonce if authentication to the stored nonce fails. A value of "TRUE" specifies that the client initiates a DM session if the backup server nonce is received after authentication failed.
Value type is bool. Supported operations are Add, Get, and Replace.
@ -284,17 +287,16 @@ Optional. Determines whether the OMA DM client should be launched when roaming.
Value type is bool. Supported operations are Add, Get, and Replace.
<a href="" id="sslclientcertsearchcriteria"></a>**SSLCLIENTCERTSEARCHCRITERIA**
Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter is used to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it is ignored.
Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter is used to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it's ignored.
The string is a concatenation of name/value pairs, each member of the pair delimited by the "&" character. The name and values are delimited by the "=" character. If there are multiple values, each value is delimited by the Unicode character "U+F000". If the name or value contains characters not in the UNRESERVED set (as specified in RFC2396), then those characters are URI-escaped per the RFC.
The supported names are Subject and Stores; wildcard certificate search is not supported.
The supported names are Subject and Stores; wildcard certificate search isn't supported.
Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name is not case sensitive.
Stores specify which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive.
> **Note**   %EF%80%80 is the UTF8-encoded character U+F000.
> [!Note]
> %EF%80%80 is the UTF8-encoded character U+F000.
Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following:
@ -312,15 +314,4 @@ Supported operations are Add, and Replace.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

137
windows/client-management/mdm/dmclient-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 11/01/2017
# DMClient CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment.
@ -66,6 +75,7 @@ DMClient
----Unenroll
----UpdateManagementServiceAddress
```
<a href="" id="msft"></a>**./Vendor/MSFT**
All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path.
@ -104,8 +114,6 @@ Supported operations are Get and Add.
> Although hardware device IDs are guaranteed to be unique, there's a concern that this isn't ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSPs **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
This node is required and must be set by the server before the client certificate renewal is triggered.
<a href="" id="provider-providerid-exchangeid"></a>**Provider/*ProviderID*/ExchangeID**
Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. The enterprise management server can correlate and merge records for:
@ -115,8 +123,6 @@ Optional. Character string that contains the unique Exchange device ID used by t
> [!NOTE]
> In some cases for the desktop, this node will return "not found" until the user sets up their email.
Supported operation is Get.
The following XML is a Get command example:
@ -148,8 +154,6 @@ Required. The character string that contains the device management server addres
> [!NOTE]
> When the **ManagementServerAddressList** value is set, the device ignores the value.
The DMClient CSP will save the address to the same location as the w7 and DMS CSPs. The save ensures the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped using the [w7 APPLICATION configuration service provider](w7-application-csp.md).
Starting in Windows 10, version 1511, this node supports multiple server addresses in the format &lt;URL1&gt;&lt;URL2&gt;&lt;URL3&gt;. If there's only a single URL, then the &lt;&gt; aren't required. This feature is supported on Windows client devices.
@ -159,7 +163,7 @@ During a DM session, the device will use the first address on the list and then
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-upn"></a>**Provider/*ProviderID*/UPN**
Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This information is useful when the user email address changes in the identity system. Or, when the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This information is useful when the user's email address changes in the identity system. Or, when the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
Supported operations are Get and Replace.
@ -199,8 +203,6 @@ Optional. Used by the management server to set the DM session version that the s
Once you set the value to 2.0, it won't go back to 1.0.
Supported operations are Get, Replace, and Delete.
<a href="" id="provider-providerid-maxsyncapplicationversion"></a>**Provider/*ProviderID*/MaxSyncApplicationVersion**
@ -279,8 +281,6 @@ Added in Windows 10, version 1607. The list of management server URLs in the fo
> [!NOTE]
> The &lt; and &gt; should be escaped.
```xml
<Replace>
<CmdID>101</CmdID>
@ -299,23 +299,31 @@ If ManagementServerAddressList node is set, the device will only use the server
When the server isn't responding after a specified number of retries, the device tries to use the next server URL in the list. It keeps trying until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first one in the list.
Supported operations are Get and Replace. Value type is string.
Supported operations are Get and Replace.
Value type is string.
<a href="" id="provider-providerid-managementservertoupgradeto"></a>**Provider/*ProviderID*/ManagementServerToUpgradeTo**
Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM provider to upgrade to for a Mobile Application Management (MAM) enrolled device.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-numberofdaysafterlostcontacttounenroll"></a>**Provider/*ProviderID*/NumberOfDaysAfterLostContactToUnenroll**
Optional. Number of days after last successful sync to unenroll.
Supported operations are Add, Delete, Get, and Replace. Value type is integer.
Supported operations are Add, Delete, Get, and Replace.
Value type is integer.
<a href="" id="provider-providerid-aadsenddevicetoken"></a>**Provider/*ProviderID*/AADSendDeviceToken**
Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this feature will cause the client to send a Device Token if the User Token can't be obtained.
Supported operations are Add, Delete, Get, and Replace. Value type is bool.
Supported operations are Add, Delete, Get, and Replace.
Value type is bool.
<a href="" id="provider-providerid-poll"></a>**Provider/*ProviderID*/Poll**
Optional. Polling schedules must use the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
@ -442,7 +450,7 @@ Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, p
Default = Locked
> [!Note]
>If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
> If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
<a href="" id="provider-providerid-configlock-lock"></a>**Provider/*ProviderID*/ConfigLock/Lock**
@ -504,22 +512,30 @@ Supported operations are Add, Delete, and Get.
<a href="" id="provider-providerid-customenrollmentcompletepage-title"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/Title**
Optional. Added in Windows 10, version 1703. Specifies the title of the all done page that appears at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-customenrollmentcompletepage-bodytext"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/BodyText**
Optional. Added in Windows 10, version 1703. Specifies the body text of the all done page that appears at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-customenrollmentcompletepage-hyperlinkhref"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkHref**
Optional. Added in Windows 10, version 1703. Specifies the URL that's shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-customenrollmentcompletepage-hyperlinktext"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkText**
Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that's shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-"></a>**Provider/*ProviderID*/FirstSyncStatus**
Optional node. Added in Windows 10, version 1709.
@ -527,17 +543,23 @@ Optional node. Added in Windows 10, version 1709.
<a href="" id="provider-providerid-firstsyncstatus-expectedpolicies"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedPolicies**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to configure, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectednetworkprofiles "></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to configure, delimited by the character L"\xF000".
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedmsiapppackages"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedmodernapppackages"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedModernAppPackages**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example,
@ -549,62 +571,86 @@ Required. Added in Windows 10, version 1709. This node contains a list of LocURI
This syntax represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedpfxcerts"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedPFXCerts**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedscepcerts"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedSCEPCerts**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-timeoutuntilsyncfailure"></a>**Provider/*ProviderID*/FirstSyncStatus/TimeOutUntilSyncFailure**
Required. Added in Windows 10, version 1709. This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day).
Required. Added in Windows 10, version 1709. This node determines how long we'll poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day).
Supported operations are Get and Replace. Value type is integer.
Supported operations are Get and Replace.
Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-serverhasfinishedprovisioning"></a>**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning**
Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished configuring the device. It was added so that the server can “change its mind" about what it needs to configure on the device. When this node is set, many other DM Client nodes can't be changed. If this node isn't True, the UX will consider the configuration a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
Supported operations are Get and Replace. Value type is boolean.
Supported operations are Get and Replace.
Value type is boolean.
<a href="" id="provider-providerid-firstsyncstatus-issyncdone"></a>**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**
Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully configured. `Set` triggers the UX to override whatever state it's in, and tell the user that the device is configured. It can't be set from True to False (it won't change its mind if the sync is done), and it can't be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is boolean.
Supported operations are Get and Replace.
Value type is boolean.
<a href="" id="provider-providerid-firstsyncstatus-wasdevicesuccessfullyprovisioned"></a>**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned**
Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully configured. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value can't be changed again. The client will change the value of success or failure and update the node. The server can force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is integer.
Supported operations are Get and Replace.
Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-blockinstatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage**
Required. Device Only. Added in Windows 10, version 1803. This node determines if the MDM progress page is blocking in the Azure AD joined or DJ++ case, and which remediation options are available.
Supported operations are Get and Replace. Value type is integer.
Supported operations are Get and Replace.
Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-allowcollectlogsbutton"></a>**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton**
Required. Added in Windows 10, version 1803. This node decides if the MDM progress page displays the Collect Logs button.
Supported operations are Get and Replace. Value type is bool.
Supported operations are Get and Replace.
Value type is bool.
<a href="" id="provider-providerid-firstsyncstatus-customerrortext"></a>**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText**
Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do if there's an error.
Supported operations are Add, Get, Delete, and Replace. Value type is string.
Supported operations are Add, Get, Delete, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-skipdevicestatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage**
Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
Supported operations are Get and Replace. Value type is bool.
Supported operations are Get and Replace.
Value type is bool.
<a href="" id="provider-providerid-firstsyncstatus-skipuserstatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage**
Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM user progress page skips after Azure AD joined or DJ++ after user login.
Supported operations are Get and Replace. Value type is bool.
Supported operations are Get and Replace.
Value type is bool.
<a href="" id="provider-providerid-enhancedapplayersecurity"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity**
Required node. Added in Windows 10, version 1709.
@ -614,22 +660,30 @@ Supported operation is Get.
<a href="" id="provider-providerid-enhancedapplayersecurity-securitymode"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/SecurityMode**
Required. Added in Windows 10, version 1709. This node specifies how the client will do the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
<a href="" id="provider-providerid-enhancedapplayersecurity-usecertifrevocationcheckoffline"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline**
Required. Added in Windows 10, version 1709. When this node is set, it tells the client to use the certificate even when the client can't check the certificate's revocation status because the device is offline. The default value is set.
Supported operations are Add, Get, Replace, and Delete. Value type is boolean.
Supported operations are Add, Get, Replace, and Delete.
Value type is boolean.
<a href="" id="provider-providerid-enhancedapplayersecurity-cert0"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert0**
Required. Added in Windows 10, version 1709. The node contains the primary certificate - the public key to use.
Supported operations are Add, Get, Replace, and Delete. Value type is string.
Supported operations are Add, Get, Replace, and Delete.
Value type is string.
<a href="" id="provider-providerid-enhancedapplayersecurity-cert1"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert1**
Required. Added in Windows 10, version 1709. The node contains the secondary certificate - the public key to use.
Supported operations are Add, Get, Replace, and Delete. Value type is string.
Supported operations are Add, Get, Replace, and Delete.
Value type is string.
<a href="" id="provider-providerid-unenroll"></a>**Provider/*ProviderID*/Unenroll**
Required. The node accepts unenrollment requests using the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `<Data>` tag under the `<Item>` element. Scope is permanent.
@ -658,5 +712,4 @@ The following SyncML shows how to remotely unenroll the device. This command sho
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

65
windows/client-management/mdm/dmsessionactions-csp.md
View File

@ -13,15 +13,25 @@ manager: dansimp
# DMSessionActions CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DMSessionActions configuration service provider (CSP) is used to manage:
- the number of sessions the client skips if the device is in a low-power state
- the number of sessions the client skips if the device is in a low-power state.
- which CSP nodes should send an alert back to the server if there were any changes.
This CSP was added in Windows 10, version 1703.
The following shows the DMSessionActions configuration service provider in tree format.
The following shows the DMSessionActions configuration service provider in tree format:
```
./User/Vendor/MSFT
DMSessionActions
@ -62,42 +72,59 @@ DMSessionActions
------------MaxSkippedSessionsInLowPowerState
------------MaxTimeSessionsSkippedInLowPowerState
```
<a href="" id="vendor-msft-dmsessionactions"></a>**./Device/Vendor/MSFT/DMSessionActions or ./User/Vendor/MSFT/DMSessionActions**
<p>Defines the root node for the DMSessionActions configuration service provider.</p>
Defines the root node for the DMSessionActions configuration service provider.
<a href="" id="providerid"></a>***ProviderID***
<p>Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache. </p>
Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.
<p>Scope is dynamic. Supported operations are Get, Add, and Delete.</p>
Scope is dynamic. Supported operations are Get, Add, and Delete.
<a href="" id="checkinalertconfiguration"></a>***ProviderID*/CheckinAlertConfiguration**
<p>Node for the custom configuration of alerts to be sent during MDM sync session.</p>
Node for the custom configuration of alerts to be sent during MDM sync session.
<a href="" id="nodes"></a>***ProviderID*/CheckinAlertConfiguration/Nodes**
<p>Required. Root node for URIs to be queried. Scope is dynamic.</p>
Required. Root node for URIs to be queried. Scope is dynamic.
<p>Supported operation is Get.</p>
Supported operation is Get.
<a href="" id="nodeid"></a>***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID***
<p>Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.</p>
Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.
<p>Supported operations are Get, Add, and Delete.</p>
Supported operations are Get, Add, and Delete.
<a href="" id="nodeuri"></a>***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID*/NodeURI**
<p>Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.
Value type is string.
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="alertdata"></a>**AlertData**
<p>Node to query the custom alert per server configuration</p>
<p>Value type is string. Supported operation is Get.</p>
Node to query the custom alert per server configuration
Value type is string.
Supported operation is Get.
<a href="" id="powersettings"></a>**PowerSettings**
<p>Node for power-related configrations</p>
Node for power-related configurations.
<a href="" id="maxskippedsessionsinlowpowerstate"></a>**PowerSettings/MaxSkippedSessionsInLowPowerState**
<p>Maximum number of continuous skipped sync sessions when the device is in low-power state.</p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
Maximum number of continuous skipped sync sessions when the device is in low-power state.
Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="maxtimesessionsskippedinlowpowerstate"></a>**PowerSettings/MaxTimeSessionsSkippedInLowPowerState**
<p>Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state. </p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.
Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

90
windows/client-management/mdm/dynamicmanagement-csp.md
View File

@ -14,7 +14,17 @@ ms.collection: highpri
# DynamicManagement CSP
Windows 10 allows you to manage devices differently depending on location, network, or time.  In Windows 10, version 1703 the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device cant reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
Windows 10/Windows 11 allows you to manage devices differently depending on location, network, or time.  Added in Windows 10, version 1703, the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device cant reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
This CSP was added in Windows 10, version 1703.
@ -33,13 +43,18 @@ DynamicManagement
------------Altitude
----AlertsEnabled
```
<a href="" id="dynamicmanagement"></a>**DynamicManagement**
<p>The root node for the DynamicManagement configuration service provider.</p>
The root node for the DynamicManagement configuration service provider.
<a href="" id="notificationsenabled"></a>**NotificationsEnabled**
<p>Boolean value for sending notification to the user of a context change.</p>
<p>Default value is False. Supported operations are Get and Replace.</p>
<p>Example to turn on NotificationsEnabled:</p>
Boolean value for sending notification to the user of a context change.
Default value is False.
Supported operations are Get and Replace.
Example to turn on NotificationsEnabled:
```xml
<Replace>
@ -56,45 +71,64 @@ DynamicManagement
</Item>
</Replace>
```
<a href="" id="activelist"></a>**ActiveList**
<p>A string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000..</p>
<p>Supported operation is Get.</p>
A string containing the list of all active ContextIDs on the device. Delimiter is unicode character 0xF000.
Supported operation is Get.
<a href="" id="contexts"></a>**Contexts**
<p>Node for context information.</p>
<p>Supported operation is Get.</p>
Node for context information.
Supported operation is Get.
<a href="" id="contextid"></a>***ContextID***
<p>Node created by the server to define a context. Maximum number of characters allowed is 38.</p>
<p>Supported operations are Add, Get, and Delete.</p>
Node created by the server to define a context. Maximum number of characters allowed is 38.
Supported operations are Add, Get, and Delete.
<a href="" id="signaldefinition"></a>**SignalDefinition**
<p>Signal Definition XML.</p>
<p>Value type is string. Supported operations are Add, Get, Delete, and Replace.</p>
Signal Definition XML.
Value type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="settingspack"></a>**SettingsPack**
<p>Settings that get applied when the Context is active.</p>
<p>Value type is string. Supported operations are Add, Get, Delete, and Replace.</p>
Settings that get applied when the Context is active.
Value type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="settingspackresponse"></a>**SettingsPackResponse**
<p>Response from applying a Settings Pack that contains information on each individual action.</p>
<p>Value type is string. Supported operation is Get.</p>
Response from applying a Settings Pack that contains information on each individual action.
Value type is string.
Supported operation is Get.
<a href="" id="contextstatus"></a>**ContextStatus**
<p>Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.</p>
<p>Value type is integer. Supported operation is Get.</p>
Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly is failed.
Value type is integer.
Supported operation is Get.
<a href="" id="altitude"></a>**Altitude**
<p>A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.</p>
<p>Value type is integer. Supported operations are Add, Get, Delete, and Replace.</p>
A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.
Value type is integer.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="alertsenabled"></a>**AlertsEnabled**
<p>A Boolean value for sending an alert to the server when a context fails.</p>
<p>Supported operations are Get and Replace.</p>
A Boolean value for sending an alert to the server when a context fails.
Supported operations are Get and Replace.
## Examples
Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100-meters radius of the specified latitude/longitude
Disable Cortana based on Geo location and time, from 9am-5pm, when in the 100-meters radius of the specified latitude/longitude
```xml
<Replace>
@ -203,7 +237,7 @@ Disable camera using network trigger with time trigger, from 9-5, when ip4 gatew
</Replace>
```
Delete a context
Delete a context:
```xml
<Delete>
@ -216,7 +250,7 @@ Delete a context
</Delete>
```
Get ContextStatus and SignalDefinition from a specific context
Get ContextStatus and SignalDefinition from a specific context:
```xml
<Get>
@ -236,3 +270,7 @@ Get ContextStatus and SignalDefinition from a specific context
</Item>
</Get>
```
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

131
windows/client-management/mdm/email2-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 06/26/2017
# EMAIL2 CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts.
@ -81,9 +90,8 @@ Supported operations are Get, Add, and Delete.
The braces {} around the GUID are required in the EMAIL2 configuration service provider.
- For OMA Client Provisioning, the braces can be sent literally. For example, `<characteristic type="{C556E16F-56C4-4edb-9C64-D9469EE1FBE0}"/>`.
- For OMA DM, the braces must be sent using ASCII values of 0x7B and 0x7D respectively. For example, `<Target><LocURI>./Vendor/MSFT/EMAIL2/0x7BC556E16F-56C4-4edb-9C64-D9469EE1FBE0x7D</LocURI></Target>`
- For OMA Client Provisioning, the braces can be sent literally. For example, `<characteristic type="{C556E16F-56C4-4edb-9C64-D9469EE1FBE0}"/>`
- For OMA DM, the braces must be sent using ASCII values of 0x7B and 0x7D respectively. For example, `<Target><LocURI>./Vendor/MSFT/EMAIL2/0x7BC556E16F-56C4-4edb-9C64-D9469EE1FBE0x7D</LocURI></Target>`
<a href="" id="accounticon"></a>**ACCOUNTICON**
Optional. Returns the location of the icon associated with the account.
@ -99,9 +107,8 @@ Supported operations are Get, Add, Replace, and Delete.
Valid values are:
- Email: normal email
- VVM: visual voice mail
- Email: Normal email
- VVM: Visual voice mail
<a href="" id="authname"></a>**AUTHNAME**
Required. Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name).
@ -113,16 +120,14 @@ Optional. Character string that specifies whether the outgoing server requires a
Supported operations are Get, Add, Replace, and Delete.
Value options:
Value options are:
- 0 - Server authentication isn't required.
- 1 - Server authentication is required.
- 0 - Server authentication isn't required.
- 1 - Server authentication is required.
> [!NOTE]
> If this value isn't specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED.
 
<a href="" id="authsecret"></a>**AUTHSECRET**
Optional. Character string that specifies the user's password. The same password is used for SMTP authentication.
@ -140,18 +145,15 @@ Supported operations are Get, Add, Replace, and Delete.
Value options:
- -1: Specifies that all email currently on the server should be downloaded.
- 7: Specifies that seven days worth of email should be downloaded.
- 14: Specifies that 14 days worth of email should be downloaded.
- 30: Specifies that 30 days worth of email should be downloaded.
- -1: Specifies that all email currently on the server should be downloaded.
- 7: Specifies that seven days worth of email should be downloaded.
- 14: Specifies that 14 days worth of email should be downloaded.
- 30: Specifies that 30 days worth of email should be downloaded.
<a href="" id="inserver"></a>**INSERVER**
Required. Character string that specifies the name of the incoming server name and port number. This string is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is:
- server name:port number
- server name:port number
Supported operations are Get, Add, and Replace.
@ -162,20 +164,16 @@ Supported operations are Get, Add, Replace, and Delete.
Value options:
- 0 - Email updates must be performed manually.
- 15 (default) - Wait for 15 minutes between updates.
- 30 - Wait for 30 minutes between updates.
- 60 - Wait for 60 minutes between updates.
- 120 - Wait for 120 minutes between updates.
- 0 - Email updates must be performed manually
- 15 (default) - Wait for 15 minutes between updates
- 30 - Wait for 30 minutes between updates
- 60 - Wait for 60 minutes between updates
- 120 - Wait for 120 minutes between updates.
<a href="" id="keepmax"></a>**KEEPMAX**
Optional. Specifies the maximum size for a message attachment. Attachments beyond this size will not be downloaded but it will remain on the server. The message itself will be downloaded. This value can be set only for IMAP4 accounts.
The limit is specified in KB
The limit is specified in KB.
Value options are 0, 25, 50, 125, and 250.
@ -191,7 +189,7 @@ Supported operations are Get, Add, Replace, and Delete.
<a href="" id="outserver"></a>**OUTSERVER**
Required. Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is:
- server name:port number
- server name:port number
Supported operations are Get, Add, Delete, and Replace.
@ -208,8 +206,6 @@ Supported operations are Get, Add, Replace, and Delete.
> [!NOTE]
> The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
 
<a href="" id="servicetype"></a>**SERVICETYPE**
Required. Character string that specifies the type of email service to create or edit (for example, "IMAP4" or "POP3").
@ -217,8 +213,6 @@ Supported operations are Get, Add, Replace, and Delete.
> **Note**   The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
 
<a href="" id="retrieve"></a>**RETRIEVE**
Optional. Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated.
@ -227,10 +221,10 @@ Value options are 512, 1024, 2048, 5120, 20480, and 51200.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="serverdeleteaction"></a>**SERVERDELETEACTION**
Optional. Character string that specifies how message is deleted on server. Value options:
Optional. Character string that specifies how message is deleted on server. Value options are:
- 1 - delete message on the server
- 2 - keep the message on the server (delete to the Trash folder).
- 1 - Delete message on the server.
- 2 - Keep the message on the server (delete to the Trash folder).
Any other value results in default action, which depends on the transport.
@ -244,19 +238,19 @@ Value type is string. Supported operations are Get, Add, Replace, and Delete.
<a href="" id="syncingcontenttypes"></a>**SYNCINGCONTENTTYPES**
Required. Specifies a bitmask for which content types are supported for syncing, like Mail, Contacts, and Calendar.
- No data (0x0)
- Contacts (0x1)
- Mail (0x2)
- Appointments (0x4)
- Tasks (0x8)
- Notes (0x10)
- Feeds (0x60)
- Network Photo (0x180)
- Group and room (0x200)
- Chat (0x400)
- Email Recipient Email (0x800)
- Server Link (0x1000)
- All items (0xffffffff)
- No data (0x0)
- Contacts (0x1)
- Mail (0x2)
- Appointments (0x4)
- Tasks (0x8)
- Notes (0x10)
- Feeds (0x60)
- Network Photo (0x180)
- Group and room (0x200)
- Chat (0x400)
- Email Recipient Email (0x800)
- Server Link (0x1000)
- All items (0xffffffff)
Supported operations are Get, Add, Replace, and Delete.
@ -322,10 +316,10 @@ Optional. Character string that specifies if the incoming email server requires
Supported operations are Get, Add, Replace, and Delete.
Value options:
Value options are:
- 0 - SSL isn't required.
- 1 - SSL is required.
- 0 - SSL isn't required.
- 1 - SSL is required.
<a href="" id="tagprops-812c000b"></a>**TAGPROPS/812C000B**
Optional. Character string that specifies if the outgoing email server requires SSL.
@ -334,37 +328,28 @@ Supported operations are Get and Replace.
Value options:
- 0 - SSL isn't required.
- 1 - SSL is required.
- 0 - SSL isn't required.
- 1 - SSL is required.
## Remarks
When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted. All messages and other properties that the transport (like Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it's left out in the \<LocURI>\</LocURI\> block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
- The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set.
- If some of the outgoing server credentials parameters are present, then the EMAIL2 Configuration Service Provider will be considered in error.
- Account details cannot be queried unless the account GUID is known. Currently, there's no way to perform a top-level query for account GUIDs.
- The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set.
- If some of the outgoing server credentials parameters are present, then the EMAIL2 Configuration Service Provider will be considered in error.
- Account details can't be queried unless the account GUID is known. Currently, there's no way to perform a top-level query for account GUIDs.
If the connection to the mail server is initiated with deferred SSL, the mail server can send STARTTLS as a server capability and TLS will be enabled. The following steps show how to enable TLS.
1. The device attempts to connect to the mail server using SSL.
2. If the SSL connection fails, the device attempts to connect using deferred SSL.
3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device doesn't attempt another connection.
4. If the user didn't select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection.
5. If the connection succeeds using any of the encryption protocols, the device requests the server capabilities.
6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, then the device enables TLS. TLS isn't enabled on connections using SSL or non-SSL.
1. The device attempts to connect to the mail server using SSL
2. If the SSL connection fails, the device attempts to connect using deferred SSL
3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device doesn't attempt another connection
4. If the user didn't select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection
5. If the connection succeeds using any of the encryption protocols, the device requests the server capabilities.
6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, then the device enables TLS. TLS isn't enabled on connections using SSL or non-SSL.
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)