deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Migrate MDM content (#761)

Browse Source
This commit is contained in:
Brian Lich
2017-05-22 13:07:12 -07:00
committed by GitHub
parent aecb12a200
commit 18332f30c4
474 changed files with 142555 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
windows/client-management/TOC.md
View File

@ -9,4 +9,5 @@
## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
## [Windows libraries](windows-libraries.md)
## [Mobile Device Management](mdm/index.md)
## [Change history for Client management](change-history-for-client-management.md)

221
windows/client-management/mdm/TOC.md Normal file
View File

@ -0,0 +1,221 @@
# [Mobile device management](index.md)
## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md)
## [Mobile device enrollment](mobile-device-enrollment.md)
### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md)
### [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
## [Understanding ADMX-backed policies](understanding-admx-backed-policies.md)
## [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)
## [Implement server-side support for mobile application management on Windows](implement-server-side-mobile-application-management.md)
## [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)
## [Deploy and configure App-V apps using MDM](appv-deploy-and-config.md)
## [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
### [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md)
### [Register your free Azure Active Directory subscription](register-your-free-azure-active-directory-subscription.md)
## [Enterprise app management](enterprise-app-management.md)
## [Device update management](device-update-management.md)
## [Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md)
## [Management tool for the Windows Store for Business](management-tool-for-windows-store-for-business.md)
### [REST API reference for Windows Store for Business](rest-api-reference-windows-store-for-business.md)
#### [Data structures for Windows Store for Business](data-structures-windows-store-for-business.md)
#### [Get Inventory](get-inventory.md)
#### [Get product details](get-product-details.md)
#### [Get localized product details](get-localized-product-details.md)
#### [Get offline license](get-offline-license.md)
#### [Get product packages](get-product-packages.md)
#### [Get product package](get-product-package.md)
#### [Get seats](get-seats.md)
#### [Get seat](get-seat.md)
#### [Assign seats](assign-seats.md)
#### [Reclaim seat from user](reclaim-seat-from-user.md)
#### [Bulk assign and reclaim seats from users](bulk-assign-and-reclaim-seats-from-user.md)
#### [Get seats assigned to a user](get-seats-assigned-to-a-user.md)
## [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md)
## [Certificate renewal](certificate-renewal-windows-mdm.md)
## [Disconnecting from the management infrastructure (unenrollment)](disconnecting-from-mdm-unenrollment.md)
## [Enterprise settings, policies, and app management](windows-mdm-enterprise-settings.md)
## [Push notification support for device management](push-notification-windows-mdm.md)
## [OMA DM protocol support](oma-dm-protocol-support.md)
## [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md)
## [Server requirements for OMA DM](server-requirements-windows-mdm.md)
## [DMProcessConfigXMLFiltered](dmprocessconfigxmlfiltered.md)
## [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md)
## [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
## [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md)
### [Design a custom configuration service provider](design-a-custom-windows-csp.md)
### [IConfigServiceProvider2](iconfigserviceprovider2.md)
#### [IConfigServiceProvider2::ConfigManagerNotification](iconfigserviceprovider2configmanagernotification.md)
#### [IConfigServiceProvider2::GetNode](iconfigserviceprovider2getnode.md)
### [ICSPNode](icspnode.md)
#### [ICSPNode::Add](icspnodeadd.md)
#### [ICSPNode::Clear](icspnodeclear.md)
#### [ICSPNode::Copy](icspnodecopy.md)
#### [ICSPNode::DeleteChild](icspnodedeletechild.md)
#### [ICSPNode::DeleteProperty](icspnodedeleteproperty.md)
#### [ICSPNode::Execute](icspnodeexecute.md)
#### [ICSPNode::GetChildNodeNames](icspnodegetchildnodenames.md)
#### [ICSPNode::GetProperty](icspnodegetproperty.md)
#### [ICSPNode::GetPropertyIdentifiers](icspnodegetpropertyidentifiers.md)
#### [ICSPNode::GetValue](icspnodegetvalue.md)
#### [ICSPNode::Move](icspnodemove.md)
#### [ICSPNode::SetProperty](icspnodesetproperty.md)
#### [ICSPNode::SetValue](icspnodesetvalue.md)
### [ICSPNodeTransactioning](icspnodetransactioning.md)
### [ICSPValidate](icspvalidate.md)
### [Samples for writing a custom configuration service provider](samples-for-writing-a-custom-configuration-service-provider.md)
## [Configuration service provider reference](configuration-service-provider-reference.md)
### [ActiveSync CSP](activesync-csp.md)
#### [ActiveSync DDF file](activesync-ddf-file.md)
### [AllJoynManagement CSP](alljoynmanagement-csp.md)
#### [AllJoynManagement DDF](alljoynmanagement-ddf.md)
### [APPLICATION CSP](application-csp.md)
### [AppLocker CSP](applocker-csp.md)
#### [AppLocker DDF file](applocker-ddf-file.md)
#### [AppLocker XSD](applocker-xsd.md)
### [AssignedAccess CSP](assignedaccess-csp.md)
#### [AssignedAccess DDF file](assignedaccess-ddf.md)
### [BitLocker CSP](bitlocker-csp.md)
#### [BitLocker DDF file](bitlocker-ddf-file.md)
### [BOOTSTRAP CSP](bootstrap-csp.md)
### [BrowserFavorite CSP](browserfavorite-csp.md)
### [CellularSettings CSP](cellularsettings-csp.md)
### [CertificateStore CSP](certificatestore-csp.md)
#### [CertificateStore DDF file](certificatestore-ddf-file.md)
### [CleanPC CSP](cleanpc-csp.md)
#### [CleanPC DDF](cleanpc-ddf.md)
### [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)
#### [ClientCertificateInstall DDF file](clientcertificateinstall-ddf-file.md)
### [CM_CellularEntries CSP](cm-cellularentries-csp.md)
### [CM_ProxyEntries CSP](cm-proxyentries-csp.md)
### [CMPolicy CSP](cmpolicy-csp.md)
### [CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md)
#### [CMPolicyEnterprise DDF file](cmpolicyenterprise-ddf-file.md)
### [CustomDeviceUI CSP](customdeviceui-csp.md)
#### [CustomDeviceUI DDF file](customdeviceui-ddf.md)
### [Defender CSP](defender-csp.md)
#### [Defender DDF file](defender-ddf.md)
### [DevDetail CSP](devdetail-csp.md)
#### [DevDetail DDF file](devdetail-ddf-file.md)
### [DeveloperSetup CSP](developersetup-csp.md)
#### [DeveloperSetup DDF](developersetup-ddf.md)
### [DeviceInstanceService CSP](deviceinstanceservice-csp.md)
### [DeviceLock CSP](devicelock-csp.md)
#### [DeviceLock DDF file](devicelock-ddf-file.md)
### [DeviceManageability CSP](devicemanageability-csp.md)
#### [DeviceManageability DDF](devicemanageability-ddf.md)
### [DeviceStatus CSP](devicestatus-csp.md)
#### [DeviceStatus DDF](devicestatus-ddf.md)
### [DevInfo CSP](devinfo-csp.md)
#### [DevInfo DDF file](devinfo-ddf-file.md)
### [DiagnosticLog CSP](diagnosticlog-csp.md)
#### [DiagnosticLog DDF file](diagnosticlog-ddf.md)
### [DMAcc CSP](dmacc-csp.md)
#### [DMAcc DDF file](dmacc-ddf-file.md)
### [DMClient CSP](dmclient-csp.md)
#### [DMClient DDF file](dmclient-ddf-file.md)
### [DMSessionActions CSP](dmsessionactions-csp.md)
#### [DMSessionActions DDF file](dmsessionactions-ddf.md)
### [DynamicManagement CSP](dynamicmanagement-csp.md)
#### [DynamicManagement DDF file](dynamicmanagement-ddf.md)
### [EMAIL2 CSP](email2-csp.md)
#### [EMAIL2 DDF file](email2-ddf-file.md)
### [EnterpriseAPN CSP](enterpriseapn-csp.md)
#### [EnterpriseAPN DDF](enterpriseapn-ddf.md)
### [EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md)
### [EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md)
#### [EnterpriseAppVManagement DDF file](enterpriseappvmanagement-ddf.md)
### [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md)
#### [EnterpriseAssignedAccess DDF file](enterpriseassignedaccess-ddf.md)
#### [EnterpriseAssignedAccess XSD](enterpriseassignedaccess-xsd.md)
### [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
#### [EnterpriseDataProtection DDF file](enterprisedataprotection-ddf-file.md)
### [EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md)
#### [EnterpriseDesktopAppManagement DDF](enterprisedesktopappmanagement-ddf-file.md)
#### [EnterpriseDesktopAppManagement XSD](enterprisedesktopappmanagement2-xsd.md)
### [EnterpriseExt CSP](enterpriseext-csp.md)
#### [EnterpriseExt DDF file](enterpriseext-ddf.md)
### [EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md)
#### [EnterpriseExtFileSystem DDF file](enterpriseextfilesystem-ddf.md)
### [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
#### [EnterpriseModernAppManagement DDF](enterprisemodernappmanagement-ddf.md)
#### [EnterpriseModernAppManagement XSD](enterprisemodernappmanagement-xsd.md)
### [FileSystem CSP](filesystem-csp.md)
### [HealthAttestation CSP](healthattestation-csp.md)
#### [HealthAttestation DDF](healthattestation-ddf.md)
### [HotSpot CSP](hotspot-csp.md)
### [Maps CSP](maps-csp.md)
#### [Maps DDF](maps-ddf-file.md)
### [Messaging CSP](messaging-csp.md)
#### [Messaging DDF file](messaging-ddf.md)
### [NAP CSP](nap-csp.md)
### [NAPDEF CSP](napdef-csp.md)
### [NetworkProxy CSP](networkproxy-csp.md)
#### [NetworkProxy DDF file](networkproxy-ddf.md)
### [NetworkQoSPolicy CSP](networkqospolicy-csp.md)
#### [NetworkQoSPolicy DDF file](networkqospolicy-ddf.md)
### [NodeCache CSP](nodecache-csp.md)
#### [NodeCache DDF file](nodecache-ddf-file.md)
### [Office CSP](office-csp.md)
#### [Office DDF](office-ddf.md)
### [PassportForWork CSP](passportforwork-csp.md)
#### [PassportForWork DDF file](passportforwork-ddf.md)
### [Personalization CSP](personalization-csp.md)
#### [Personalization DDF file](personalization-ddf.md)
### [Policy CSP](policy-configuration-service-provider.md)
#### [Policy DDF file](policy-ddf-file.md)
#### [ApplicationRestrictions XSD](applicationrestrictions-xsd.md)
### [PolicyManager CSP](policymanager-csp.md)
### [Provisioning CSP](provisioning-csp.md)
### [PROXY CSP](proxy-csp.md)
### [PXLOGICAL CSP](pxlogical-csp.md)
### [Reboot CSP](reboot-csp.md)
#### [Reboot DDF file](reboot-ddf-file.md)
### [Registry CSP](registry-csp.md)
#### [Registry DDF file](registry-ddf-file.md)
### [RemoteFind CSP](remotefind-csp.md)
#### [RemoteFind DDF file](remotefind-ddf-file.md)
### [RemoteLock CSP](remotelock-csp.md)
#### [RemoteLock DDF file](remotelock-ddf-file.md)
### [RemoteRing CSP](remotering-csp.md)
#### [RemoteRing DDF file](remotering-ddf-file.md)
### [RemoteWipe CSP](remotewipe-csp.md)
#### [RemoteWipe DDF file](remotewipe-ddf-file.md)
### [Reporting CSP](reporting-csp.md)
#### [Reporting DDF file](reporting-ddf-file.md)
### [RootCATrustedCertificates CSP](rootcacertificates-csp.md)
#### [RootCATrustedCertificates DDF file](rootcacertificates-ddf-file.md)
### [SecureAssessment CSP](secureassessment-csp.md)
#### [SecureAssessment DDF file](secureassessment-ddf-file.md)
### [SecurityPolicy CSP](securitypolicy-csp.md)
### [SharedPC CSP](sharedpc-csp.md)
#### [SharedPC DDF file](sharedpc-ddf-file.md)
### [Storage CSP](storage-csp.md)
#### [Storage DDF file](storage-ddf-file.md)
### [SUPL CSP](supl-csp.md)
#### [SUPL DDF file](supl-ddf-file.md)
### [SurfaceHub CSP](surfacehub-csp.md)
#### [SurfaceHub DDF file](surfacehub-ddf-file.md)
### [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
#### [UnifiedWriteFilter DDF file](unifiedwritefilter-ddf.md)
### [Update CSP](update-csp.md)
#### [Update DDF file](update-ddf-file.md)
### [VPN CSP](vpn-csp.md)
#### [VPN DDF file](vpn-ddf-file.md)
### [VPNv2 CSP](vpnv2-csp.md)
#### [VPNv2 DDF file](vpnv2-ddf-file.md)
#### [ProfileXML XSD](vpnv2-profile-xsd.md)
#### [EAP configuration](eap-configuration.md)
### [w4 APPLICATION CSP](w4-application-csp.md)
### [w7 APPLICATION CSP](w7-application-csp.md)
### [WiFi CSP](wifi-csp.md)
#### [WiFi DDF file](wifi-ddf-file.md)
### [Win32AppInventory CSP](win32appinventory-csp.md)
#### [Win32AppInventory DDF file](win32appinventory-ddf-file.md)
### [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)
#### [WindowsAdvancedThreatProtection DDF file](windowsadvancedthreatprotection-ddf.md)
### [WindowsLicensing CSP](windowslicensing-csp.md)
#### [WindowsLicensing DDF file](windowslicensing-ddf-file.md)
### [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md)
#### [WindowsSecurityAuditing DDF file](windowssecurityauditing-ddf-file.md)

268
windows/client-management/mdm/activesync-csp.md Normal file
View File

@ -0,0 +1,268 @@
---
title: ActiveSync CSP
description: ActiveSync CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: c65093ef-bd36-4f32-9dab-edb7bcfb3188
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# ActiveSync CSP
The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status.
Configuring Windows Live ActiveSync accounts through this configuration service provider is not supported.
> **Note**  
The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync path will work if the user is logged in. The CSP fails when no user is logged in.
The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term.
 
The following diagram shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
![activesync csp (cp)](images/provisioning-csp-activesync-cp.png)
<a href="" id="--user-vendor-msft-activesync"></a>**./User/Vendor/MSFT/ActiveSync**
The root node for the ActiveSync configuration service provider.
> **Note**  
The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in.
The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term.
 
The supported operation is Get.
<a href="" id="accounts"></a>**Accounts**
The root node for all ActiveSync accounts.
The supported operation is Get.
<a href="" id="account-guid"></a>***Account GUID***
Defines a specific ActiveSync account. A globally unique identifier (GUID) must be generated for each ActiveSync account on the device.
Supported operations are Get, Add, and Delete.
When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and does not create the new account.
Braces { } are required around the GUID. In OMA Client Provisioning, you can type the braces. For example:
``` syntax
<characteristic type="{C556E16F-56C4-4EDB-9C64-D9469EE1FBE0}"/>
```
For OMA DM, you must use the ASCII values of %7B and %7D for the opening and closing braces, respectively. For example, if the GUID is "C556E16F-56C4-4EDB-9C64-D9469EE1FBE0", type:
``` syntax
<Target>
<LocURI>
./Vendor/MSFT/ActiveSync/Accounts/%7BC556E16F-56C4-4EDB-9C64-D9469EE1FBE0%7D
</LocURI>
</Target>
```
<a href="" id="account-guid-emailaddress"></a>***Account GUID*/EmailAddress**
Required. A character string that specifies the email address associated with the Exchange ActiveSync account.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
This email address is entered by the user during setup and must be in the fully qualified email address format, for example, "someone@example.com".
<a href="" id="account-guid-domain"></a>***Account GUID*/Domain**
Optional for Exchange. Specifies the domain name of the Exchange server.
Supported operations are Get, Replace, Add, and Delete.
<a href="" id="account-guid-accounticon"></a>***Account GUID*/AccountIcon**
Required. A character string that specifies the location of the icon associated with the account.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings &gt; email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired.
<a href="" id="account-guid-accounttype"></a>***Account GUID*/AccountType**
Required. A character string that specifies the account type.
Supported operations are Get and Add (cannot Add after the account is created).
This value is entered during setup and cannot be modified once entered. An Exchange account is indicated by the string value "Exchange".
<a href="" id="account-guid-accountname"></a>***Account GUID*/AccountName**
Required. A character string that specifies the name that refers to the account on the device.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
<a href="" id="account-guid-password"></a>***Account GUID*/Password**
Required. A character string that specifies the password for the account.
Supported operations are Get, Replace, Add, and Delete.
For the Get command, only asterisks are returned.
<a href="" id="account-guid-servername"></a>***Account GUID*/ServerName**
Required. A character string that specifies the server name used by the account.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
<a href="" id="account-guid-username"></a>***Account GUID*/UserName**
Required. A character string that specifies the user name for the account.
Supported operations are Get, and Add (cannot Add after the account is created).
The user name cannot be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com".
<a href="" id="options"></a>**Options**
Node for other parameters.
<a href="" id="options-calendaragefilter"></a>**Options/CalendarAgeFilter**
Specifies the time window used for syncing calendar items to the device. Value type is chr.
<a href="" id="options-logging"></a>**Options/Logging**
Required. A character string that specifies whether diagnostic logging is enabled and at what level. The default is 0 (disabled).
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
Valid values are one of the following:
- 0 (default) - Logging is off.
- 1 - Basic logging is enabled.
- 2 - Advanced logging is enabled.
Logging is set to off by default. The user might be asked to set this to Basic or Advanced when having a sync issue that customer support is investigating. Setting the logging level to Advanced has more of a performance impact than Basic.
<a href="" id="options-mailbodytype"></a>**Options/MailBodyType**
Indicates the email format. Valid values:
- 0 - none
- 1 - text
- 2 - HTML
- 3 - RTF
- 4 - MIME
<a href="" id="options-mailhtmltruncation"></a>**Options/MailHTMLTruncation**
Specifies the size beyond which HTML-formatted email messages are truncated when they are synchronized to the mobile device. The value is specified in KB. A value of -1 disables truncation.
<a href="" id="options-mailplaintexttruncation"></a>**Options/MailPlainTextTruncation**
This setting specifies the size beyond which text-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.
<a href="" id="options-usessl"></a>**Options/UseSSL**
Optional. A character string that specifies whether SSL is used.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
Valid values are:
- 0 - SSL is not used.
- 1 (default) - SSL is used.
<a href="" id="options-schedule"></a>**Options/Schedule**
Required. A character string that specifies the time until the next sync is performed, in minutes. The default value is -1.
Supported operations are Get and Replace.
Valid values are one of the following:
- -1 (default) - A sync will occur as items are received
- 0 - All syncs must be performed manually
- 15 - Sync every 15 minutes
- 30 - Sync every 30 minutes
- 60 - Sync every 60 minutes
<a href="" id="options-mailagefilter"></a>**Options/MailAgeFilter**
Required. A character string that specifies the time window used for syncing email items to the device. The default value is 3.
Supported operations are Get and Replace.
Valid values are one of the following:
- 0 No age filter is used, and all email items are synced to the device.
- 2 Only email up to three days old is synced to the device.
- 3 (default) Email up to a week old is synced to the device.
- 4 Email up to two weeks old is synced to the device.
- 5 Email up to a month old is synced to the device.
<a href="" id="options-contenttypes-content-type-guid"></a>**Options/ContentTypes/****_Content Type GUID_**
Defines the type of content to be individually enabled/disabled for sync.
The *GUID* values allowed are one of the following:
- Email: "{c6d47067-6e92-480e-b0fc-4ba82182fac7}"
- Contacts: "{0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}"
- Calendar: "{4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}"
- Tasks: "{783ae4f6-4c12-4423-8270-66361260d4f1}"
<a href="" id="options-contenttypes-content-type-guid-enabled"></a>**Options/ContentTypes/*Content Type GUID*/Enabled**
Required. A character string that specifies whether sync is enabled or disabled for the selected content type. The default is "1" (enabled).
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
Valid values are one of the following:
- 0 - Sync for email, contacts, calendar, or tasks is disabled.
- 1 (default) - Sync is enabled.
<a href="" id="options-contenttypes-content-type-guid-name"></a>**Options/ContentTypes/*Content Type GUID*/Name**
Required. A character string that specifies the name of the content type.
> **Note**  In Windows 10, this node is currently not working.
 
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected.
<a href="" id="policies"></a>**Policies**
Node for mail body type and email age filter.
<a href="" id="policies-mailbodytype"></a>**Policies/MailBodyType**
Required. Specifies the email body type: HTML or plain.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="policies-maxmailagefilter"></a>**Policies/MaxMailAgeFilter**
Required. Specifies the time window used for syncing mail items to the device.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

696
windows/client-management/mdm/activesync-ddf-file.md Normal file
View File

@ -0,0 +1,696 @@
---
title: ActiveSync DDF file
description: ActiveSync DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# ActiveSync DDF file
This topic shows the OMA DM device description framework (DDF) for the **ActiveSync** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[
<?oma-dm-ddf-ver supported-versions="1.2"?>
]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>ActiveSync</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The root node for ActiveSync configuration.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/ActiveSync</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>Accounts</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The parent node group all active sync accounts.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Defines a specific ActiveSync account. A globally unique identifier (GUID) must be generated for each ActiveSync account on the device.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Account GUID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>EmailAddress</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>The email address the user entered during setup. This is the email address that is associated with the Exchange ActiveSync account and it is required.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Domain</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Domain name of the Exchange server</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AccountIcon</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specify the location of the icon associated with the account.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AccountType</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specify the account type.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AccountName</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>The name that refers to the account on the phone.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Password</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>A character string that specifies the password for the account.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ServerName</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the server name used by the account.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>UserName</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the user name for the account.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Options</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies whether email, contacts, and calendar need to synchronize by default, and sets preference such as sync schedule, truncation sizes, and logging.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>CalendarAgeFilter</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the time window used for syncing calendar items to the phone.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Logging</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies whether diagnostic logging is enabled and at what level.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MailBodyType</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Indicates format type of the Email. Supported values are 0 (none), 1 (text), 2 (HTML), 3 (RTF), and 4 (MIME).</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MailHTMLTruncation</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>This setting specifies the size beyond which HTML-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MailPlainTextTruncation</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>This setting specifies the size beyond which text-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Schedule</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the time until the next sync is performed in minutes.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>UseSSL</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies whether SSL is used.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MailAgeFilter</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the time window used for syncing email items to the phone.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ContentTypes</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Enables or disables syncing email, contacts, task, and calendar.Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1}</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<OneOrN>1</OneOrN>
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Content Type GUID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Enabled</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Enables or disables Sync for Email, contacts, calendar, and Tasks.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Name</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>The name of the content type.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>Policies</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the mail body type and email age filter.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>MailBodyType</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the email body type. HTML or plain</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxMailAgeFilter</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the time window used for syncing mail items to the device.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[ActiveSync configuration service provider](activesync-csp.md)
 
 

100
windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md Normal file
View File

@ -0,0 +1,100 @@
---
title: Add an Azure AD tenant and Azure AD subscription
description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 36D94BEC-A6D8-47D2-A547-EBD7B7D163FA
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Add an Azure AD tenant and Azure AD subscription
Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription.
> **Note**  If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. For step-by-step guide to register this free subscription, see [Register your free Azure Active Directory subscription.](#register-your-free-azure-active-directory-subscription)
1. Sign-up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization.
![sign up for azure ad tenant](images/azure-ad-add-tenant1.png)
2. Enter the information for your organization. Click **check availability** to verify that domain name that you selected is available.
![sign up for azure ad](images/azure-ad-add-tenant2.png)
3. Complete the login and country information. You must provide a valid phone number, then click **Send text message** or **Call me**.
![create azure account](images/azure-ad-add-tenant3.png)
4. Enter the code that you receive and then click **Verify code**. After the code is verified and the continue button turns green, click **continue**.
![add aad tenant](images/azure-ad-add-tenant3-b.png)
5. After you finish creating your Azure account, you are ready to add an Azure AD subscription.
If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to Office 356 portal, <https://portal.office.com/> and then sign in using the admin account that you just created in Step 4 (for example, user1@contosoltd.onmicrosoftcom).
![login to office 365](images/azure-ad-add-tenant4.png)
6. Click **Install software**.
![login to office 365](images/azure-ad-add-tenant5.png)
7. In the Office 365 portal, select **Purchase Services** from the left nagivation.
![purchase service option in admin center menu](images/azure-ad-add-tenant6.png)
8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then click to purchase.
![azure active directory option in purchase services page](images/azure-ad-add-tenant7.png)
9. Continue with your purchase.
![azure active directory premium payment page](images/azure-ad-add-tenant8.png)
10. After the purchase is completed, you can login to your Office 365 Admin Portal and you will see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint, Exchange, etc...).
![admin center left navigation menu](images/azure-ad-add-tenant9.png)
When you choose Azure AD, it will take you to the Azure AD portal where you can manage your Azure AD applications.
## Register your free Azure Active Directory subscription
If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. Here's a step-by-step guide to register your free Azure AD subscription using an Office 365 Premium Business subscription.
1. Sign in to the Office 365 portal at <https://portal.office.com> using your organization's account.
![register azuread](images/azure-ad-add-tenant10.png)
2. On the **Home** page, click on the Admin tools icon.
![register azuread](images/azure-ad-add-tenant11.png)
3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.
![register azuread](images/azure-ad-add-tenant12.png)
4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**.
![register azuread](images/azure-ad-add-tenant13.png)
5. It may take a few minutes to process the request.
![register azuread](images/azure-ad-add-tenant14.png)
6. You will see a welcome page when the process completes.
![register azuread](images/azure-ad-add-tenant15.png)
 

150
windows/client-management/mdm/alljoynmanagement-csp.md Normal file
View File

@ -0,0 +1,150 @@
---
title: AllJoynManagement CSP
description: The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 468E0EE5-EED3-48FF-91C0-89F9D159AA8C
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# AllJoynManagement CSP
The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (com.microsoft.alljoynmanagement.config). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration.
> **Note**  
The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core).
This CSP was added in Windows 10, version 1511.
 
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](http://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](http://go.microsoft.com/fwlink/p/?LinkId=615877).
The following diagram shows the AllJoynManagement configuration service provider in tree format
![alljoynmanagement csp diagram](images/provisioning-csp-alljoynmanagement.png)
The following list describes the characteristics and parameters.
<a href="" id="--vendor-msft-alljoynmanagement"></a>**./Vendor/MSFT/AllJoynManagement**
The root node for the AllJoynManagement configuration service provider.
<a href="" id="services"></a>**Services**
List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "com.microsoft.alljoynmanagement.config" are included.
<a href="" id="services-node-name"></a>**Services/****_Node name_**
The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects.
<a href="" id="services-node-name-port"></a>**Services/*Node name*/Port**
The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it is possible to specify additional ports.
<a href="" id="services-node-name-port-node-name"></a>**Services/*Node name*/Port/****_Node name_**
Port number used for communication. This is specified by the configurable AllJoyn object and reflected here.
<a href="" id="services-node-name-port-node-name-cfgobject"></a>**Services/*Node name*/Port/*Node name*/CfgObject**
The set of configurable interfaces that are available on the port of the AllJoyn object.
<a href="" id="services-node-name-port-node-name-cfgobject-node-name"></a>**Services/*Node name*/Port/*Node name*/CfgObject/****_Node name_**
The remainder of this URI is an escaped path to the configurable AllJoyn object hosted by the parent ServiceID and accessible by the parent PortNum.
For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "\\FabrikamService\\BridgeConfig" would be specified in the URI as: %2FFabrikamService%2FBridgeConfig.
<a href="" id="credentials"></a>**Credentials**
This is the credential store. An administrator can set credentials for each AllJoyn device that requires authentication at this node.
When a SyncML request arrives in the CSP to replace or query a configuration item on an AllJoyn object that requires authentication, then the CSP uses the credentials stored here during the authentication phase.
<a href="" id="credentials-node-name"></a>**Credentials/****_Node name_**
This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It is typically implemented as a GUID.
<a href="" id="credentials-node-name-key"></a>**Credentials/*Node name*/Key**
An alphanumeric key value that conforms to the AllJoyn SRP KEYX authentication standard.
<a href="" id="firewall"></a>**Firewall**
Firewall setting for the AllJoyn service.
<a href="" id="firewall-publicprofile"></a>**Firewall/PublicProfile**
Boolean value to enable or disable the AllJoyn router service (AJRouter.dll) for public network profile.
<a href="" id="firewall-privateprofile"></a>**Firewall/PrivateProfile**
Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enabled for private network profile.
## Examples
Set adapter configuration
``` syntax
<?xml version="1.0" encoding="utf-8"?>
SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/AllJoynManagement/Services/_ALLJOYN_DEVICE_ID_/Port/27/Configuration/%2FDSBService%2FAdapterConfig</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">b64</Format>
</Meta> <Data>PAA/AHgAbQBsACAAdgBlAHIAcwBpAG8AbgA9ACIAMQAuADAAIgA/AD4ADQAKADwAQgBhAGMATgBlAHQAQwBmAGcAPgANAAoACQA8AEIAQgBNAEQAUwBlAHIAdgBlAHIAPgANAAoACQAJADwASQBQAEEAZABkAHIAZQBzAHMAPgAxADIANwAuADAALgAwAC4AMQA8AC8ASQBQAEEAZABkAHIAZQBzAHMAPgANAAoACQAJADwAUABvAHIAdAA+ADQANwA4ADAAOAA8AC8AUABvAHIAdAA+AA0ACgAJADwALwBCAEIATQBEAFMAZQByAHYAZQByAD4ADQAKADwALwBCAGEAYwBOAGUAdABDAGYAZwA+AA0ACgAAAA==</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. Note that the data is base-64 encoded representation of the configuration file that you are setting.
Get PIN data
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/AllJoynManagement/Credentials?list=StructData</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
Get the firewall PrivateProfile
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/AllJoynManagement/Firewall/PrivateProfile</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
 
 

342
windows/client-management/mdm/alljoynmanagement-ddf.md Normal file
View File

@ -0,0 +1,342 @@
---
title: AllJoynManagement DDF
description: AllJoynManagement DDF
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 540C2E60-A041-4749-A027-BBAF0BB046E4
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# AllJoynManagement DDF
This topic shows the OMA DM device description framework (DDF) for the **AllJoynManagement** configuration service provider. This CSP was added in Windows 10, version 1511.
You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>AllJoynManagement</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Services</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This is the list of AllJoyn Objects that are discovered on the AllJoyn bus. Only AllJoyn Objects that expose the "com.microsoft.alljoynmanagement.config" will be shown here.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The Unique AllJoyn About Device ID, a GUID, that Hosts one or more configurable objects
.
</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ServiceID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Port</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The set of Ports that this AllJoyn Object uses to communicate configuration settings through.
Typically, only one port is used for communication, but it is possible that additional ports may be specified.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The AllJoyn Port Number to communicate on. This is specified by the Configurable AllJoyn Object and is reflected here.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>PortNum</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>CfgObject</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The set of configurable interfaces that are available on the Port of the AllJoyn Object</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The remainder of this URI is an escaped path to the Configurable AllJoyn Object Hosted by the parent ServiceID and Accessible by the parent PortNum.
For example an AllJoyn Bridge with the Microsoft specific AllJoyn Configuration Interface "\ASBService\BridgeConfig" would be specified in the URI as: %2FASBService%2FBridgeConfig
</Description>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<OneOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>CfgObjectPath</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>Credentials</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This is the Credential Store. An Administrator can set credentials for each AllJoyn device that requires authentication at this node.
If a SYNCML request arrives in the CSP to replace or query a configuration item on an AllJoyn Object that requires authentication, then the CSP will use the Credentials stored here during the authentication phase.
</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This is the same ServiceID as specified in the \AllJoynManagement\Services\ServiceID URI.
It is typically implemented as a GUID.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ServiceID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Key</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>Firewall</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Firewall setting for the AllJoyn service (AJRouter.dll).</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>PublicProfile</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>Boolean value to enable or disable the AllJoyn router service (AJRouter.dll) for Public network profile.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PrivateProfile</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enabled for Private network profile.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[AllJoynManagement configuration service provider](alljoynmanagement-csp.md)
 
 

43
windows/client-management/mdm/application-csp.md Normal file
View File

@ -0,0 +1,43 @@
---
title: APPLICATION configuration service provider
description: APPLICATION configuration service provider
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# APPLICATION configuration service provider
The APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider. The following list shows the supported transports.
- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md)
- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md)
The APPID parameter differentiates these application transports. Each APPID must be registered with OMA, and any APPLICATION configuration service provider must be in the root of the provisioning document.
For the device to decode correctly, provisioning XML that contains the APPLICATION characteristic must support OMA Client Provisioning version 1.1.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

129
windows/client-management/mdm/applicationrestrictions-xsd.md Normal file
View File

@ -0,0 +1,129 @@
---
title: ApplicationRestrictions XSD
description: Here's the XSD for the ApplicationManagement/ApplicationRestrictions policy.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: A5AA2B59-3736-473E-8F70-A90FD61EE426
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# ApplicationRestrictions XSD
Here's the XSD for the ApplicationManagement/ApplicationRestrictions policy.
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<xs:schema id="AppPolicy_xsd"
attributeFormDefault="unqualified"
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://schemas.microsoft.com/phone/2013/policy"
xmlns="http://schemas.microsoft.com/phone/2013/policy"
xmlns:m="http://schemas.microsoft.com/phone/2013/policy"
>
<!-- Non-empty string must have a non-whitespace character at the beginning and end -->
<xs:simpleType name="ST_NonEmptyString">
<xs:restriction base="xs:string">
<xs:minLength value="1"/>
<xs:maxLength value="32767"/>
<xs:pattern value="[^\s]|([^\s].*[^\s])"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="ST_Publisher">
<xs:restriction base="xs:string">
<xs:maxLength value="256"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="CT_LowerCaseGuid">
<xs:annotation>
<xs:documentation>GUID must use lowercase letters</xs:documentation>
</xs:annotation>
<xs:restriction base="ST_NonEmptyString">
<xs:pattern value="\{[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="CT_Application">
<xs:attribute name="ProductId" type="CT_LowerCaseGuid" />
</xs:complexType>
<xs:complexType name="CT_ApplicationWithPublisher">
<xs:attribute name="ProductId" type="CT_LowerCaseGuid" />
<xs:attribute name="PublisherName" type="ST_Publisher" use="optional" />
</xs:complexType>
<xs:complexType name="CT_AllowedPublisher">
<xs:sequence>
<xs:element name="DenyApp" type="CT_Application" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="PublisherName" type="ST_Publisher" use="required" />
</xs:complexType>
<xs:complexType name="CT_DeniedPublisher">
<xs:sequence>
<xs:element name="AllowApp" type="CT_Application" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="PublisherName" type="ST_Publisher" use="required" />
</xs:complexType>
<xs:element name="Deny">
<xs:complexType>
<xs:sequence>
<xs:element name="App" type="CT_Application" minOccurs="0" maxOccurs="unbounded" />
<xs:element name="Publisher" type="CT_DeniedPublisher" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Allow">
<xs:complexType>
<xs:sequence>
<xs:element name="App" type="CT_ApplicationWithPublisher" minOccurs="0" maxOccurs="unbounded" />
<xs:element name="Publisher" type="CT_AllowedPublisher" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AppPolicy">
<xs:complexType>
<xs:choice minOccurs="0" maxOccurs="1">
<xs:element ref="Deny" />
<xs:element ref="Allow" />
</xs:choice>
<xs:attribute name="Version" use="required" type="xs:unsignedLong" />
</xs:complexType>
<!-- Uniqueness Checks -->
<xs:unique name="NoDuplicateProductIDs">
<xs:selector xpath=".//*"/>
<xs:field xpath="@ProductId"/>
</xs:unique>
<!-- Uniqueness Checks -->
<xs:unique name="NoDuplicatePublisherNames">
<xs:selector xpath=".//*"/>
<xs:field xpath="@PublisherName"/>
</xs:unique>
</xs:element>
</xs:schema>
```
 
 

1413
windows/client-management/mdm/applocker-csp.md Normal file
View File

File diff suppressed because it is too large Load Diff

686
windows/client-management/mdm/applocker-ddf-file.md Normal file
View File

@ -0,0 +1,686 @@
---
title: AppLocker DDF file
description: AppLocker DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 79E199E0-5454-413A-A57A-B536BDA22496
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# AppLocker DDF file
This topic shows the OMA DM device description framework (DDF) for the **AppLocker** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>AppLocker</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ApplicationLaunchRestrictions</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Grouping</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>EXE</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnforcementMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>NonInteractiveProcessEnforcement</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>MSI</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnforcementMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Script</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnforcementMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>StoreApps</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnforcementMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>DLL</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnforcementMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>NonInteractiveProcessEnforcement</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>CodeIntegrity</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>EnterpriseDataProtection</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Grouping</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>EXE</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>StoreApps</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[AppLocker configuration service provider](applocker-csp.md)
 
 

1294
windows/client-management/mdm/applocker-xsd.md Normal file
View File

File diff suppressed because it is too large Load Diff

456
windows/client-management/mdm/appv-deploy-and-config.md Normal file
View File

@ -0,0 +1,456 @@
---
title: Deploy and configure App-V apps using MDM
description: Deploy and configure App-V apps using MDM
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Deploy and configure App-V apps using MDM
## Executive summary
<p>Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premise group policies using System Center Configuration Manager (SCCM) or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premise counterparts.</p>
<p>MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.</p>
### EnterpriseAppVManagement CSP node structure
[EnterpriseAppVManagement CSP reference](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp)
![enterpriseappvmanagement csp](images/provisioning-csp-enterpriseappvmanagement.png)
<p>(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.</p>
<p><b>AppVPublishing</b> - An exec action node that contains the App-V publishing configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.</p>
- EnterpriseAppVManagement
- AppVPackageManagement
- **AppVPublishing**
- LastSync
- LastError
- LastErrorDescription
- SyncStatusDescription
- SyncProgress
- Sync
- PublishXML
- AppVDynamicPolicy
<p>Sync command:</p>
[App-V Sync protocol reference]( https://msdn.microsoft.com/enus/library/mt739986.aspx)
<p><b>AppVDynamicPolicy</b> - A read/write node that contains the App-V dynamic configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.</p>
- EnterpriseAppVManagement
- AppVPackageManagement
- AppVPublishing
- **AppVDynamicPolicy**
- [ConfigurationId]
- Policy
<p>Dynamic policy examples:</p>
[Dynamic configuration processing](https://technet.microsoft.com/en-us/itpro/windows/manage/appv-application-publishing-and-client-interaction#bkmk-dynamic-config">Dynamic configuration processing)
<p><b>AppVPackageManagement</b> - Primarily read-only App-V package inventory data for MDM servers to query current packages.</p>
- EnterpriseAppVManagement
- **AppVPackageManagement**
- [EnterpriseID]
- [PackageFamilyName]
- [PackageFullName]
- Name
- Version
- Publisher
- InstallLocation
- InstallDate
- Users
- AppVPackageID
- AppVVersionId
- AppVPackageUri
- AppVPublishing
- AppVDynamicPolicy
<p>The examples in the scenarios section demonstrate how the publishing document should be created to successfully publish packages, dynamic policies, and connection groups.</p>
## Scenarios addressed in App-V MDM functionality
<p>All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premise App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.</p>
<p>A complete list of App-V policies can be found here:</p>
[ADMX-backed policy reference](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-admx-backed)
[EnterpriseAppVManagement CSP reference](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp)
### SyncML examples
<p>The following SyncML examples address specific App-V client scenarios.</p>
#### Enable App-V client
<p>This example shows how to enable App-V on the device.</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppvClient</LocURI>
</Target>
<Data>&lt;enabled/&gt;</Data>
</Item>
</Replace>
```
#### Configure App-V client
<p>This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts assists in package deployments (add and publish of App-V apps).</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts</LocURI>
</Target>
<Data>&lt;enabled/&gt;</Data>
</Item>
</Replace>
```
<p>Complete list of App-V policies can be found here:</p>
[Policy CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider)
#### SyncML with package published for a device (global to all users for that device)
<p>This SyncML example shows how to publish a package globally on an MDM enrolled device for all device users.</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="fd6b51c7-959e-4d04-ac36-a8244a5693d0" PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
</Packages>
<NoGroup>
<Package PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
</NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
<p>*PackageUrl can be a UNC or HTTP/HTTPS endpoint.</p>
#### SyncML with package (with dynamic configuration policy) published for a device (global to all users on that device)
<p>This SyncML example shows how to publish a package globally, with a policy that adds two shortcuts for the package, on an MDM enrolled device.</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/38/Policy</ LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<DeploymentConfiguration PackageId="57650ac1-1731-4b4c-899ca25548374dab" DisplayName="Skype_RS2Win10_X64" xmlns="http://schemas.microsoft.com/appv/2010/deploymentconfiguration">
<MachineConfiguration></MachineConfiguration>
<UserConfiguration>
<Subsystems>
<Shortcuts Enabled="true">
<Extensions>
<Extension Category="AppV.Shortcut">
<Shortcut>
<File>[{ThisPCDesktopFolder}]\Skype_FromMDM.lnk</File>
<Target>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</Target>
<Icon>[{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico</Icon>
<Arguments/>
<WorkingDirectory>[{ProgramFilesX86}]\Skype\</WorkingDirectory>
<AppUserModelId>Skype.Desktop.Application</AppUserModelId>
<Description>Launch Skype</Description>
<ShowCommand>1</ShowCommand>
<ApplicationId>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</ApplicationId>
</Shortcut>
</Extension>
<Extension Category="AppV.Shortcut">
<Shortcut>
<File>[{Common Desktop}]\Skype_FromMDMAlso.lnk</File>
<Target>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</Target>
<Icon>[{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico</Icon>
<Arguments/>
<WorkingDirectory>[{ProgramFilesX86}]\Skype\</WorkingDirectory>
<AppUserModelId>Skype.Desktop.Application</AppUserModelId>
<Description>Launch Skype</Description>
<ShowCommand>1</ShowCommand>
<ApplicationId>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</ApplicationId>
</Shortcut>
</Extension>
</Extensions>
</Shortcuts>
</Subsystems>
</UserConfiguration>
</DeploymentConfiguration>
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" PackageId="57650ac11731-4b4c-899c-a25548374dab">
<DeploymentConfiguration ConfigurationId="38" Path="38" Timestamp="2012-08-27T16:14:30.87" /></Package>
</Packages>
<NoGroup>
<Package PackageId="57650ac1-1731-4b4c-899ca25548374dab"/>
</NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
<p>*PackageUrl can be a UNC or HTTP/HTTPS endpoint.</p>
#### SyncML with package (using user config deployment) published for a specific user
<p>This SyncML example shows how to publish a package for a specific MDM user.</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="c68b054c-ff5f-45a6-9b41-788f2194e3c1" PackageId="e9a51aaf-5d9a48df-96e2-3372a278bca4"></Package>
</Packages>
<NoGroup>
<Package PackageId="e9a51aaf-5d9a-48df-96e23372a278bca4"/>
</NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
#### SyncML for publishing mixed-mode connection group containing global and user-published packages
<p>This SyncML example shows how to publish a connection group, and group applications and plugins together.</p>
> [!NOTE]
> The user connection group has the user-only package as optional in this example, which implies users without the optional package can continue to launch the global package within the same connection group.
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" PackageId="57650ac11731-4b4c-899c-a25548374dab"></Package>
</Packages>
</Publishing>
</Data>
</Item>
</Exec>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="c68b054c-ff5f-45a6-9b41-788f2194e3c1" PackageId="e9a51aaf-5d9a48df-96e2-3372a278bca4"></Package>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="fd6b51c7-959e-4d04-ac36-a8244a5693d0" PackageId="565d8479-394d-439c-824d0e09b7ee732c"></Package>
</Packages>
<NoGroup>
<Package PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
</NoGroup>
<Groups>
<Group GroupId="98d5cebd-165f-403b-a426-7a1f6ae9c399" VersionId="AE76602B-5613-4BAD-9EE5-1728FA55B699" Priority="46" Name="Try7">
<Package PackageId="57650ac1-1731-4b4c-899ca25548374dab" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" VersionOptional="false" PackageOptional="false"/>
<Package PackageId="e9a51aaf-5d9a-48df-96e23372a278bca4" VersionOptional="true" PackageOptional="true"/>
</Group>
</Groups>
</Publishing>
</Data>
</Item>
</Exec>
```
#### Unpublish example SyncML for all global packages
<p>This SyncML example shows how to unpublish all global packages on the device by sending an empty package and connection group list in the SyncML.</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages></Packages>
<NoGroup></NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
#### Query packages on a device
<p>These SyncML examples return all global, and user-published packages on the device.</p>
``` syntax
<Get>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
``` syntax
<Get>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData</LocURI>
</Target>
</Item>
</Get>
```

138
windows/client-management/mdm/assign-seats.md Normal file
View File

@ -0,0 +1,138 @@
---
title: Assign seat
description: The Assign seat operation assigns seat for a specified user in the Windows Store for Business.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: B42BF490-35C9-405C-B5D6-0D9F0E377552
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Assign seat
The **Assign seat** operation assigns seat for a specified user in the Windows Store for Business.
## Request
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Method</th>
<th>Request URI</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>POST</p></td>
<td><p>https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}</p></td>
</tr>
</tbody>
</table>
 
### URI parameters
The following parameters may be specified in the request URI.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Parameter</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>productId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier for an application that is used by the Store for Business.</p></td>
</tr>
<tr class="even">
<td><p>skuId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier that specifies a specific SKU of an application.</p></td>
</tr>
<tr class="odd">
<td><p>username</p></td>
<td><p>string</p></td>
<td><p>Requires UserPrincipalName (UPN). User name of the target user account.</p></td>
</tr>
</tbody>
</table>
## Response
### Response body
The response body contains [SeatDetails](data-structures-windows-store-for-business.md#seatdetails).
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th>Error code</th>
<th>Description</th>
<th>Retry</th>
<th>Data field</th>
<th>Details</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>400</p></td>
<td><p>Invalid parameters</p></td>
<td><p>No</p></td>
<td><p>Parameter name</p>
<p>Reason: Invalid parameter</p>
<p>Details: String</p></td>
<td><p>Invalid can include productId, skuId or userName</p></td>
</tr>
<tr class="even">
<td><p>404</p></td>
<td><p>Not found</p></td>
<td></td>
<td><p>Item type: Inventory, User, Seat</p>
<p>Values: ProductId/SkuId, UserName, ProductId/SkuId/UserName</p></td>
<td><p>ItemType: Inventory User Seat</p>
<p>Values: ProductId/SkuId UserName ProductId/SkuId/UserName</p></td>
</tr>
<tr class="odd">
<td><p>409</p></td>
<td><p>Conflict</p></td>
<td></td>
<td><p>Reason: Not online</p></td>
<td></td>
</tr>
</tbody>
</table>
 
 

144
windows/client-management/mdm/assignedaccess-csp.md Normal file
View File

@ -0,0 +1,144 @@
---
title: AssignedAccess CSP
description: The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 421CC07D-6000-48D9-B6A3-C638AAF83984
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# AssignedAccess CSP
The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device in the kiosk mode running the application specified in the CSP configuration.
For step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211)
> **Note**  The AssignedAccess CSP is only supported in Windows 10 Enterprise and Windows 10 Education.
 
The following diagram shows the AssignedAccess configuration service provider in tree format
![assignedaccess csp diagram](images/provisioning-csp-assignedaccess.png)
<a href="" id="--vendor-msft-assignedaccess"></a>**./Vendor/MSFT/AssignedAccess**
Root node for the CSP.
<a href="" id="assignedaccess-kioskmodeapp"></a>**AssignedAccess/KioskModeApp**
A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, follow the information in [this Microsoft website](http://go.microsoft.com/fwlink/p/?LinkId=404220).
In Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
Here's an example:
``` syntax
{"Account":"redmond\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"}
```
When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name.
> **Note**  The domain name can be optional if the user name is unique across the system.
 
For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output.
The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
## Examples
KioskModeApp Add
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>{"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}</Data>
</Item>
</Add>
<Final />
</SyncBody>
</SyncML>
```
KioskModeApp Delete
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Delete>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI>
</Target>
</Item>
</Delete>
<Final />
</SyncBody>
</SyncML>
```
KioskModeApp Get
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI>
</Target>
</Item>
</Get>
<Final />
</SyncBody>
</SyncML>
```
KioskModeApp Replace
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>{"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsAlarms_8wekyb3d8bbwe!App"}</Data>
</Item>
</Replace>
<Final />
</SyncBody>
</SyncML>
```
 
 

104
windows/client-management/mdm/assignedaccess-ddf.md Normal file
View File

@ -0,0 +1,104 @@
---
title: AssignedAccess DDF
description: AssignedAccess DDF
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# AssignedAccess DDF
This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>AssignedAccess</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>KioskModeApp</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This node can accept and return json string which comprises of account name and AUMID for Kiosk mode app.
Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}.
When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same. </Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[AssignedAccess configuration service provider](assignedaccess-csp.md)
 
 

928
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md Normal file
View File

@ -0,0 +1,928 @@
---
title: Azure Active Directory integration with MDM
description: Azure Active Directory is the world largest enterprise cloud identity management service.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: D03B0765-5B5F-4C7B-9E2B-18E747D504EE
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
<head>
<style type='text/css'> table.topalign td { vertical-align: top } </style>
</head>
# Azure Active Directory integration with MDM
Azure Active Directory is the world largest enterprise cloud identity management service. Its used by millions of organizations to access Office 365 and thousands of business applications from Microsoft and third party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows 10 provides an integrated configuration experience with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in a smooth integrated flow.
Once a device is enrolled in MDM, the MDM can enforce compliance with corporate policies, add or remove apps, and more. Additionally, the MDM can report a devices compliance Azure AD. This enables Azure AD to allow access to corporate resources or applications secured by Azure AD only to devices that comply with policies. To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This topic describes the steps involved.
## Connect to Azure AD
Several ways to connect your devices:
For company-owned devices:
- Join Windows to a traditional Active Directory domain
- Join Windows to Azure AD
For personal devices (BYOD):
- Add a Microsoft work account to Windows
### Azure AD Join
Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as System Center Configuration Manager. In Windows 10, its also possible to manage domain joined devices with an MDM.
Windows 10 introduces a new way to configure and deploy corporate owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller.
Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device will not be joined to Azure AD.
> **Important**  Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license.
 
### BYOD scenario
Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If thats the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. Its important to note that in the BYOD case, users can reject the MDM Terms of Use—in which case the device is not enrolled in MDM and access to corporate resources is typically restricted.
## Integrated MDM enrollment and UX
Two Azure AD MDM enrollment scenarios:
- Joining a device to Azure AD for company-owned devices
- Adding a work account to a personal device (BYOD)
In both scenarios, Azure AD is responsible for authenticating the user and the device, which provides a verified unique device identifier that can be used fo MDM enrollment.
In both scenarios, the enrollment flow provides an opportunity for the MDM service to render it's own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization.
In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It is important that MDM vendors who chose to integrate with Azure AD to respect the Windows 10 design guidelines to the letter. This includes using a responsive web design and respecting the Windows accessibility guidelines, which includes the forward and back buttons that are properly wired to the navigation logic. Additional details are provided later in this topic.
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [this article](http://go.microsoft.com/fwlink/?LinkId=690246).
Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** &gt; **Accounts** &gt; **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar.
> **Note**  Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
 
### MDM endpoints involved in Azure AD integrated enrollment
Azure AD MDM enrollment is a two-step process:
1. Display the Terms of Use and gather user consent.
This is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM.
2. Enroll the device.
This is an active flow where Windows OMA DM agent calls the MDM service to enroll the device.
To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use endpoint and an MDM enrollment endpoint.
<a href="" id="terms-of-use-endpoint-"></a>**Terms of Use endpoint**
Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting users consent before the actual enrollment phase begins.
Its important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g. users in certain geographies may be subject to stricter device management policies).
The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. Its not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
<a href="" id="mdm-enrollment-endpoint"></a>**MDM enrollment endpoint**
After the users accepts the Terms of Use, the device is registered in Azure AD and the automatic MDM enrollment begins.
The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Subsequently, the device is enrolled for management with the MDM. This is done by calling the enrollment endpoint and requesting enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is made available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
![azure ad enrollment flow](images/azure-ad-enrollment-flow.png)
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654). A sample for reporting device compliance is provided later in this topic.
## Make the MDM a reliable party of Azure AD
To participate in the integrated enrollment flow outlined in the previous section, the MDM must be able to consume access tokens issued by Azure AD. To report compliance to Azure AD, the MDM must be able to authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654).
### Add a cloud-based MDM
A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It is a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613661).
> **Note**  For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
 
The keys used by the MDM application to request access tokens from Azure AD are managed within the tenant of the MDM vendor and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, regardless of the customer tenent to which the device being managed belongs.
Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery.
1. Login to the Azure Management Portal using an admin account in your home tenant.
2. In the left navigation, click on the **Active Directory**.
3. Click the directory tenant where you want to register the application.
Ensure that you are logged into your home tenant.
4. Click the **Applications** tab.
5. In the drawer, click **Add**.
6. Click **Add an application my organization is developing**.
7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then click **Next**.
8. Enter the login URL for your MDM service.
9. For the App ID, enter **https://&lt;your\_tenant\_name&gt;/ContosoMDM**, then click OK.
10. While still in the Azure portal, click the **Configure** tab of your application.
11. Mark your application as **multi-tenant**.
12. Find the client ID value and copy it.
You will need this later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery.
13. Generate a key for your application and copy it.
You will need this to call the Azure AD Graph API to report device compliance. This is covered in the subsequent section.
For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613667)
### Add an on-premises MDM
An on-premises MDM application is inherently different that a cloud MDM. It is a single-tenant application that is present uniquely within the tenant of the customer. Therefore, customers must add the application directly within their own tenant. Additionally, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD.
The customer experience for adding an on-premises MDM to their tenant is similar to that as the cloud-based MDM. There is an entry in the Azure AD app gallery to add an on-premises MDN to the tenant and administrators can configure the required URLs for enrollment and Terms of Use.
Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance.
For more information about registering applications with Azure AD, see [Basics of Registering an Application in Azure AD](http://go.microsoft.com/fwlink/p/?LinkId=613671).
### Key management and security guidelines
The application keys used by your MDM service are a sensitive resource. They should be protected and rolled over periodically for greater security. Access tokens obtained by your MDM service to call the Azure AD Graph API are bearer tokens and should be protected to avoid unauthorized disclosure.
For security best practices, see [Windows Azure Security Essentials](http://go.microsoft.com/fwlink/p/?LinkId=613715).
You can rollover the application keys used by a cloud-based MDM service without requiring a customer interaction. There is a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
For the on-premises MDM, the keys used to authenticate with Azure AD are within the tenant of the customer and must be rolled over by the customer's administrator. In this case, you should provide guidance to the customers about rolling over and protecting the keys to improved security.
## Publish your MDM app to Azure AD app gallery
IT administrators use the Azure AD app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Azure AD.
The following image illustrates how MDM applications will show up in the Azure app gallery in a category dedicated to MDM software.
![azure ad add an app for mdm](images/azure-ad-app-gallery.png)
### Add cloud-based MDM to the app gallery
You should work with the Azure AD engineering team if your MDM application is cloud-based. The following table shows the required information to create an entry in the Azure AD app gallery.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Item</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p><strong>Application ID</strong></p></td>
<td style="vertical-align:top"><p>The client ID of your MDM app that is configured within your tenant. This is the unique identifier for your multi-tenant app.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p><strong>Publisher</strong></p></td>
<td style="vertical-align:top"><p>A string that identifies the publisher of the app.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p><strong>Application URL</strong></p></td>
<td style="vertical-align:top"><p>A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL is not used for the actual enrollment.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p><strong>Description</strong></p></td>
<td style="vertical-align:top"><p>A brief description of your MDM app, which must be under 255 characters.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p><strong>Icons</strong></p></td>
<td style="vertical-align:top"><p>A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215</p></td>
</tr>
</tbody>
</table>
 
### Add on-premises MDM to the app gallery
There are no special requirements for adding on-premises MDM to the app gallery.There is a generic entry for administrator to add an app to their tenant.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. These are used to obtain authorization to access the Azure AD Graph API and for reporting device compliance.
## Themes
The pages rendered by the MDM as part of the integrated enrollment process must use Windows 10 templates ([Download the Windows 10 templates and CSS files](http://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared Windows 10 templates ensure a seamless experience for the customers.
There are 3 distinct scenarios:
1. MDM enrollment as part of Azure AD Join in Windows OOBE.
2. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**.
3. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD).
Scenarios 1, 2, and 3 are available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. Scenarios 1 and 3 are available in Windows 10 Mobile. Support for scenario 1 was added in Windows 10 Mobile, version 1511.
The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows 10 templates and CSS files](http://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip).
### Using themes
An MDM page must adhere to a predefined theme depending on the scenario that is displayed. For example, if the CXH-HOSTHTTP header is FRX, which is the OOBE scenario, the page must support a dark theme with blue background color, which uses WinJS file Ui-dark.css ver 4.0 and oobe-desktop.css ver 1.0.4.
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th>CXH-HOST (HTTP HEADER)</th>
<th>Senario</th>
<th>Background Theme</th>
<th>WinJS</th>
<th>Scenario CSS</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top">FRX</td>
<td style="vertical-align:top">OOBE</td>
<td style="vertical-align:top">Dark theme + blue background color</td>
<td style="vertical-align:top">Filename: Ui-dark.css</td>
<td style="vertical-align:top">Filename: oobe-dekstop.css</td>
</tr>
<tr class="even">
<td style="vertical-align:top">MOSET</td>
<td style="vertical-align:top">Settings/
<p>Post OOBE</p></td>
<td style="vertical-align:top">Light theme</td>
<td style="vertical-align:top">Filename: Ui-light.css</td>
<td style="vertical-align:top">Filename: settings-desktop.css</td>
</tr>
</tbody>
</table>
 
## Terms of Use protocol semantics
The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows performs a full-page redirect to this endpoint. This enables the MDM to display the terms and conditions that apply and allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue.
### Redirect to the Terms of Use endpoint
This is a full page redirect to the Terms of User endpoint hosted by the MDM. Here is an example URL, https:<span></span>//fabrikam.contosomdm.com/TermsOfUse.
The following parameters are passed in the query string:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Item</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>redirect_uri</p></td>
<td style="vertical-align:top"><p>After the user accepts or rejects the Terms of Use, the user is redirected to this URL.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>client-request-id</p></td>
<td style="vertical-align:top"><p>A GUID that is used to correlate logs for diagnostic and debugging purposes. You use this parameter to log or trace the state of the enrollment request to help find the root cause in case of failures.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>api-version</p></td>
<td style="vertical-align:top"><p>Specifies the version of the protocol requested by the client. This provides a mechanism to support version revisions of the protocol.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>mode</p></td>
<td style="vertical-align:top"><p>Specifies that the device is corporate owned when mode=azureadjoin. This parameter is not present for BYOD devices.</p></td>
</tr>
</tbody>
</table>
 
### Access token
A bearer access token is issued by Azure AD is passed in the authorization header of the HTTP request. Here is a typical format:
**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw…
The following claims are expected in the access token passed by Windows to the Terms of Use endpoint:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Item</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>Object ID</p></td>
<td style="vertical-align:top"><p>Identifier of the user object corresponding to the authenticated user.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>UPN</p></td>
<td style="vertical-align:top"><p>A claim containing the user principal name (UPN) of the authenticated user.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>TID</p></td>
<td style="vertical-align:top"><p>A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Resource</p></td>
<td style="vertical-align:top"><p>A sanitized URL representing the MDM application. Example, https:<span></span>//fabrikam.contosomdm.com.</p></td>
</tr>
</tbody>
</table>
 
> **Note**  There is no device ID claim in the access token because the device may not yet be enrolled at this time.
 
To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654).
Here's an example URL.
``` syntax
https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0
Authorization: Bearer eyJ0eXAiOi
```
The MDM is expected to validate the signature of the access token to ensure it was issued by Azure AD and ensure that recipient is appropriate.
### Terms of Use content
The MDM may perform other additional redirects as necessary before displaying the Terms of Use content to the user. The appropriate Terms of Use content should be returned to the caller (Windows) so it can be displayed to the end user in the browser control.
The Terms of Use content should contain the following buttons:
- **Accept** - the user accepts the Terms of Use and proceeds with enrollment.
- **Decline** - the user declines and stops the enrollment process.
The Terms of Use content must be consistent with the theme used for the other pages rendered during this process.
### Terms of Use endpoint processing logic
At this point, the user is on the Terms of Use page shown during the OOBE or from the Setting experiences. The user has the following options on the page:
- **User clicks on the Accept button** - The MDM must redirect to the URI specified by the redirect\_uri parameter in the incoming request. The following query string parameters are expected:
- **IsAccepted** - This mandatory Boolean must be set to true.
- **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes.
- Here is an example redirect - ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true
- **User clicks on the Decline button** - The MDM must redirect to the URI specified in redirect\_uri in the incoming request. The following query string parameters are expected:
- **IsAccepted** - This mandatory Boolean must be set to false. This also applies if the user skipped the Terms of Use.
- **OpaqueBlob** - This parameter is not expected to be used because the enrollment is stopped with an error message displayed to the user.
Users skip the Terms of Use when they are adding a Microsoft work account to their device. However, then cannot skip it during the Azure AD Join process. The decline button must not be shown in the Azure AD Join process because MDM enrollment cannot be declined by the user if configured by the administrator for the Azure AD Join.
We recommend that you send the client-request-id parameters in the query string as part of this redirect response.
### Terms Of Use Error handling
If an error was encountered during the terms of use processing, the MDM can return two parameters an error and error\_description parameter in its redirect request back to Windows. Note that the URL should be encoded and the contents of the error\_description should be in English plain text. This text is not visible to the end-user and therefore localization of the error description text is not a concern.
Here is the URL format:
``` syntax
HTTP/1.1 302
Location:
<redirect_uri>?error=access_denied&error_description=Access%20is%20denied%2E
Example:
HTTP/1.1 302
Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Acess%20is%20denied%2E
```
The following table shows the error codes.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Cause</th>
<th>HTTP status</th>
<th>Error</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>api-version</p></td>
<td style="vertical-align:top"><p>302</p></td>
<td style="vertical-align:top"><p>invalid_request</p></td>
<td style="vertical-align:top"><p>unsupported version</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Tenant or user data are missingor other required prerequisites for device enrollment are not met</p></td>
<td style="vertical-align:top"><p>302</p></td>
<td style="vertical-align:top"><p>unauthorized_client</p></td>
<td style="vertical-align:top"><p>unauthorized user or tenant</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Azure AD token validation failed</p></td>
<td style="vertical-align:top"><p>302</p></td>
<td style="vertical-align:top"><p>unauthorized_client</p></td>
<td style="vertical-align:top"><p>unauthorized_client</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>internal service error</p></td>
<td style="vertical-align:top"><p>302</p></td>
<td style="vertical-align:top"><p>server_error</p></td>
<td style="vertical-align:top"><p>internal service error</p></td>
</tr>
</tbody>
</table>
 
## Enrollment protocol with Azure AD
With Azure integrated MDM enrollment, there is no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Detail</th>
<th>Traditional MDM enrollment</th>
<th>Azure AD Join (corporate-owned device)</th>
<th>Azure AD add a work account (user-owned device)</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>MDM auto-discovery using email address to retrieve MDM discovery URL</p></td>
<td style="vertical-align:top"><p>Enrollment</p></td>
<td style="vertical-align:top"><p>Not applicable</p>
<p>Discovery URL provisioned in Azure</p></td>
<td style="vertical-align:top"><p></p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Uses MDM discovery URL</p></td>
<td style="vertical-align:top"><p>Enrollment</p>
<p>Enrollment renewal</p>
<p>ROBO</p></td>
<td style="vertical-align:top"><p>Enrollment</p>
<p>Enrollment renewal</p>
<p>ROBO</p></td>
<td style="vertical-align:top"><p>Enrollment</p>
<p>Enrollment renewal</p>
<p>ROBO</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Is MDM enrollment required?</p></td>
<td style="vertical-align:top"><p>Yes</p></td>
<td style="vertical-align:top"><p>Yes</p></td>
<td style="vertical-align:top"><p>No</p>
<p>User can decline.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Authentication type</p></td>
<td style="vertical-align:top"><p>OnPremise</p>
<p>Federated</p>
<p>Certificate</p></td>
<td style="vertical-align:top"><p>Federated</p></td>
<td style="vertical-align:top"><p>Federated</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>EnrollmentPolicyServiceURL</p></td>
<td style="vertical-align:top"><p>Optional (all auth)</p></td>
<td style="vertical-align:top"><p>Optional (all auth)</p>
<p></p></td>
<td style="vertical-align:top"><p>Optional (all auth)</p>
<p></p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>EnrollmentServiceURL</p></td>
<td style="vertical-align:top"><p>Required (all auth)</p></td>
<td style="vertical-align:top"><p>Used (all auth)</p></td>
<td style="vertical-align:top"><p>Used (all auth)</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL</p></td>
<td style="vertical-align:top"><p>Highly recommended</p></td>
<td style="vertical-align:top"><p>Highly recommended</p></td>
<td style="vertical-align:top"><p>Highly recommended</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>AuthenticationServiceURL used</p></td>
<td style="vertical-align:top"><p>Used (Federated auth)</p></td>
<td style="vertical-align:top"><p>Skipped</p></td>
<td style="vertical-align:top"><p>Skipped</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>BinarySecurityToken</p></td>
<td style="vertical-align:top"><p>Custom per MDM</p></td>
<td style="vertical-align:top"><p>Azure AD issued token</p></td>
<td style="vertical-align:top"><p>Azure AD issued token</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>EnrollmentType</p></td>
<td style="vertical-align:top"><p>Full</p></td>
<td style="vertical-align:top"><p>Device</p></td>
<td style="vertical-align:top"><p>Full</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Enrolled certificate type</p></td>
<td style="vertical-align:top"><p>User certificate</p></td>
<td style="vertical-align:top"><p>Device certificate</p></td>
<td style="vertical-align:top"><p>User certificate</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Enrolled certificate store</p></td>
<td style="vertical-align:top"><p>My/User</p></td>
<td style="vertical-align:top"><p>My/System</p></td>
<td style="vertical-align:top"><p>My/User</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>CSR subject name</p></td>
<td style="vertical-align:top"><p>User Principal Name</p></td>
<td style="vertical-align:top"><p>Device ID</p></td>
<td style="vertical-align:top"><p>User Principal Name</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL</p></td>
<td style="vertical-align:top"><p>Not supported</p></td>
<td style="vertical-align:top"><p>Supported</p></td>
<td style="vertical-align:top"><p>Supported</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>CSPs accessible during enrollment</p></td>
<td style="vertical-align:top"><p>Windows 10 support:</p>
<ul>
<li>DMClient</li>
<li>CertificateStore</li>
<li>RootCATrustedCertificates</li>
<li>ClientCertificateInstall</li>
<li>EnterpriseModernAppManagement</li>
<li>PassportForWork</li>
<li>Policy</li>
<li>w7 APPLICATION</li>
</ul>
<p>Legacy support:</p>
<ul>
<li>EnterpriseAppManagement (Windows Phone 8.1)</li>
</ul></td>
<td style="vertical-align:top"><p>same as traditional MDM enrollment</p></td>
<td style="vertical-align:top"><p>same as traditional MDM enrollment</p></td>
</tr>
</tbody>
</table>
 
## Management protocol with Azure AD
There are two different MDM enrollment types that take advantage of integration with Azure AD and therefore make use of Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
<a href="" id="multiple-user-management-for-azure-ad-joined-devices"></a>**Multiple user management for Azure AD joined devices**
In this scenario the MDM enrollment applies to every Azure AD user who logs on to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, conclude what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an additional HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token is not sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user logs on to the machine, Azure AD user token is not available to OMA-DM process. Typically MDM enrollment completes before Azure AD user logs on to machine and the initial management session does not contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
<a href="" id="adding-a-work-account-and-mdm-enrollment-to-a-device"></a>**Adding a work account and MDM enrollment to a device**
In this scenario, the MDM enrollment applies to a single user who initially added his work account and enrolled the device. In this enrollment type the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device.
<a href="" id="evaluating-azure-ad-user-tokens"></a>**Evaluating Azure AD user tokens**
The Azure AD token is in the HTTP Authorization header in the following format:
``` syntax
Authorization:Bearer <Azure AD User Token Inserted here>
```
Additional claims may be present in the Azure AD token, such as:
- User - user currently logged in
- Device compliance - value set the the MDM service into Azure
- Device ID - identifies the device that is checking in
- Tenant ID
Access token issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to initiate the enrollment process. There are a couple of options to evaluate the tokens:
- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JSON Web Token Handler](http://go.microsoft.com/fwlink/p/?LinkId=613820).
- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613667).
## Device Alert 1224 for Azure AD user token
An alert is sent when the DM session starts and there is an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example:
``` syntax
Alert Type: com.microsoft/MDM/AADUserToken
Alert sample:
<SyncBody>
<Alert>
<CmdID>1</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/AADUserToken</Type>
<Format xmlns=”syncml:metinf”>chr</Format>
</Meta>
<Data>UserToken inserted here</Data>
</Item>
</Alert>
… other xml tags …
</SyncBody>
```
## Determine when a user is logged in through polling
An alert is send to the MDM server in DM package\#1.
- Alert type - com.microsoft/MDM/LoginStatus
- Alert format - chr
- Alert data - provide login status information for the current active logged in user.
- Logged in user who has an Azure AD account - predefined text: user.
- Logged in user without an Azure AD account- predefined text: others.
- No active user - predefined text:none
Here's an example.
``` syntax
<SyncBody>
<Alert>
<CmdID>1</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/LoginStatus</Type>
<Format xmlns=”syncml:metinf”>chr</Format>
</Meta>
<Data>user</Data>
</Item>
</Alert>
… other xml tags …
</SyncBody>
```
## Report device compliance to Azure AD
Once a device is enrolled with the MDM for management, corporate policies configured by the IT administrator are enforced on the device. The device compliance with configured policies is evaluated by the MDM and then reported to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD.
For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613822).
- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. Use this key to authenticate the MDM service with Azure AD, in order to obtain authorization.
- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This is because each on-premises instance of your MDM product has a different tenant-specific key. For this purpose, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD.
### Use Azure AD Graph API
The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device currently being managed by it.
``` syntax
Sample Graph API Request:
PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1
Authorization: Bearer eyJ0eXAiO………
Accept: application/json
Content-Type: application/json
{ “isManaged”:true,
“isCompliant”:true
}
```
Where:
- **contoso.com** This is the name of the Azure AD tenant to whose directory the device has been joined.
- **db7ab579-3759-4492-a03f-655ca7f52ae1** This is the device identifier for the device whose compliance information is being reported to Azure AD.
- **eyJ0eXAiO**……… This is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Azure AD Graph API. The access token is placed in the HTTP authorization header of the request.
- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status.
- **api-version** - Use this parameter to specify which version of the graph API is being requested.
Response:
- Success - HTTP 204 with No Content.
- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant cannot be found.
## Data loss during unenrollment from Azure Active Directory Join
When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
![aadj unenerollment](images/azure-ad-unenrollment.png)
## Error codes
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Code</th>
<th>ID</th>
<th>Error message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top">0x80180001</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180002</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_DEVICE_AUTHENTICATION_ERROR</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180003</td>
<td style="vertical-align:top">&quot;idErrorAuthorizationFailure&quot;, // MENROLL_E_DEVICE_AUTHORIZATION_ERROR</td>
<td style="vertical-align:top"><p>This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180004</td>
<td style="vertical-align:top">&quot;idErrorMDMCertificateError&quot;, // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR</td>
<td style="vertical-align:top"><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180005</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180006</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180007</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180008</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_UNKNOWN_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180009</td>
<td style="vertical-align:top">&quot;idErrorAlreadyInProgress&quot;, // MENROLL_E_ENROLLMENT_IN_PROGRESS</td>
<td style="vertical-align:top"><p>Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x8018000A</td>
<td style="vertical-align:top">&quot;idErrorMDMAlreadyEnrolled&quot;, // MENROLL_E_DEVICE_ALREADY_ENROLLED</td>
<td style="vertical-align:top"><p>This device is already enrolled. You can contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x8018000D</td>
<td style="vertical-align:top">&quot;idErrorMDMCertificateError&quot;, // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID</td>
<td style="vertical-align:top"><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x8018000E</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_PASSWORD_NEEDED</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x8018000F</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_WAB_ERROR</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180010</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // MENROLL_E_CONNECTIVITY</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180012</td>
<td style="vertical-align:top">&quot;idErrorMDMCertificateError&quot;, // MENROLL_E_INVALIDSSLCERT</td>
<td style="vertical-align:top"><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180013</td>
<td style="vertical-align:top">&quot;idErrorDeviceLimit&quot;, // MENROLL_E_DEVICECAPREACHED</td>
<td style="vertical-align:top"><p>Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180014</td>
<td style="vertical-align:top">&quot;idErrorMDMNotSupported&quot;, // MENROLL_E_DEVICENOTSUPPORTED</td>
<td style="vertical-align:top"><p>This feature is not supported. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180015</td>
<td style="vertical-align:top">&quot;idErrorMDMNotSupported&quot;, // MENROLL_E_NOTSUPPORTED</td>
<td style="vertical-align:top"><p>This feature is not supported. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180016</td>
<td style="vertical-align:top">&quot;idErrorMDMRenewalRejected&quot;, // MENROLL_E_NOTELIGIBLETORENEW</td>
<td style="vertical-align:top"><p>The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180017</td>
<td style="vertical-align:top">&quot;idErrorMDMAccountMaintenance&quot;, // MENROLL_E_INMAINTENANCE</td>
<td style="vertical-align:top"><p>The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180018</td>
<td style="vertical-align:top">&quot;idErrorMDMLicenseError&quot;, // MENROLL_E_USERLICENSE</td>
<td style="vertical-align:top"><p>There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180019</td>
<td style="vertical-align:top">&quot;idErrorInvalidServerConfig&quot;, // MENROLL_E_ENROLLMENTDATAINVALID</td>
<td style="vertical-align:top"><p>Looks like the server is not correctly configured. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">&quot;rejectedTermsOfUse&quot;</td>
<td style="vertical-align:top">&quot;idErrorRejectedTermsOfUse&quot;</td>
<td style="vertical-align:top"><p>Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c0001</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c0002</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_DEVICE_AUTHENTICATION_ERROR</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c0003</td>
<td style="vertical-align:top">&quot;idErrorAuthorizationFailure&quot;, // DSREG_E_DEVICE_AUTHORIZATION_ERROR</td>
<td style="vertical-align:top"><p>This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c0006</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // DSREG_E_DEVICE_INTERNALSERVICE_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c000B</td>
<td style="vertical-align:top">&quot;idErrorUntrustedServer&quot;, // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED</td>
<td style="vertical-align:top">The server being contacted is not trusted. Contact your system administrator with the error code {0}.</td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c000C</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // DSREG_E_DISCOVERY_FAILED</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c000E</td>
<td style="vertical-align:top">&quot;idErrorDeviceLimit&quot;, // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED</td>
<td style="vertical-align:top"><p>Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c000F</td>
<td style="vertical-align:top">&quot;idErrorDeviceRequiresReboot&quot;, // DSREG_E_DEVICE_REQUIRES_REBOOT</td>
<td style="vertical-align:top"><p>A reboot is required to complete device registration.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c0010</td>
<td style="vertical-align:top">&quot;idErrorInvalidCertificate&quot;, // DSREG_E_DEVICE_AIK_VALIDATION_ERROR</td>
<td style="vertical-align:top"><p>Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c0011</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_DEVICE_ATTESTATION_ERROR</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c0012</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c0013</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_TENANTID_NOT_FOUND</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c0014</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_USERSID_NOT_FOUND</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
</tbody>
</table>
 
 

685
windows/client-management/mdm/bitlocker-csp.md Normal file
View File

@ -0,0 +1,685 @@
---
title: BitLocker CSP
description: BitLocker CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# BitLocker CSP
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703.
> [!Note]
> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes.
> You must send all the settings together in a single SyncML to be effective.
A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns
the setting configured by the admin.
For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if TPM protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
The following diagram shows the BitLocker configuration service provider in tree format.
![bitlocker csp](images/provisioning-csp-bitlocker.png)
<a href="" id="--device-vendor-msft-bitlocker"></a>**./Device/Vendor/MSFT/BitLocker**
<p style="margin-left: 20px">Defines the root node for the BitLocker configuration service provider.</p>
<a href="" id="requirestoragecardencryption"></a>**RequireStorageCardEncryption**
<p style="margin-left: 20px">Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU.</p>
<p style="margin-left: 20px">Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.</p>
<p style="margin-left: 20px">If you want to disable this policy use the following SyncML:</p>
``` syntax
<SyncML>
<SyncBody>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
</SyncBody>
</SyncML>
```
<p style="margin-left: 20px">Data type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="requiredeviceencryption"></a>**RequireDeviceEncryption**
<p style="margin-left: 20px">Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption.</p>
<p style="margin-left: 20px">Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.</p>
<p style="margin-left: 20px">If you want to disable this policy use the following SyncML:</p>
``` syntax
<SyncML>
<SyncBody>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
</SyncBody>
</SyncML>
```
<p style="margin-left: 20px">Data type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**
<p style="margin-left: 20px">Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)" (Policy EncryptionMethodWithXts_Name).</p>
<p style="margin-left: 20px">This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.</p>
<p style="margin-left: 20px">If you enable this setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511.</p>
<p style="margin-left: 20px">If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.</p>
<p style="margin-left: 20px"> Sample value for this node to enable this policy and set the encryption methods is:</p>
``` syntax
<enabled/><data id="EncryptionMethodWithXtsOsDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsFdvDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsRdvDropDown_Name" value="xx"/>
```
<p style="margin-left: 20px">EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives</p>
<p style="margin-left: 20px">EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.</p>
<p style="margin-left: 20px">EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.</p>
<p style="margin-left: 20px"> The possible values for 'xx' are:</p>
<ul>
<li>3 = AES-CBC 128</li>
<li>4 = AES-CBC 256</li>
<li>6 = XTS-AES 128</li>
<li>7 = XTS-AES 256</li>
</ul>
<p style="margin-left: 20px"> If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="systemdrivesrequirestartupauthentication"></a>**SystemDrivesRequireStartupAuthentication**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup" (ConfigureAdvancedStartup_Name ).</p>
<p style="margin-left: 20px">This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.</p>
> [!Note]
> Only one of the additional authentication options can be required at startup, otherwise an error occurs.
<p style="margin-left: 20px">If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.</p>
<p style="margin-left: 20px">On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.</p>
<p style="margin-left: 20px">If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.</p>
<p style="margin-left: 20px">If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.</p>
> [!Note]
> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="ConfigureNonTPMStartupKeyUsage_Name" value="xx"/><data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="yy"/><data id="ConfigurePINUsageDropDown_Name" value="yy"/><data id="ConfigureTPMPINKeyUsageDropDown_Name" value="yy"/><data id="ConfigureTPMUsageDropDown_Name" value="yy"/>
```
<p style="margin-left: 20px">Data id:</p>
<ul>
<li>ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).</li>
<li>ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key.</li>
<li>ConfigurePINUsageDropDown_Name = (for computer with TPM) Configure TPM startup PIN.</li>
<li>ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN.</li>
<li>ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.</li>
</ul>
<p style="margin-left: 20px">The possible values for 'xx' are:</p>
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
<p style="margin-left: 20px">The possible values for 'yy' are:</p>
<ul>
<li>2 = Optional</li>
<li>1 = Required</li>
<li>0 = Disallowed</li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="systemdrivesminimumpinlength"></a>**SystemDrivesMinimumPINLength**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup" (GP MinimumPINLength_Name).</p>
<p style="margin-left: 20px">This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.</p>
<p style="margin-left: 20px">If you enable this setting, you can require a minimum number of digits to be used when setting the startup PIN.</p>
<p style="margin-left: 20px">If you disable or do not configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.</p>
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="MinPINLength" value="xx"/>
```
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).</p>
<p style="margin-left: 20px">This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
</p>
<p style="margin-left: 20px">If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).</o>
<p style="margin-left: 20px">If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.</p>
<p style="margin-left: 20px">If you set the the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.</p>
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/>
```
<p style="margin-left: 20px">The possible values for 'xx' are:</p>
<ul>
<li>0 = Empty</li>
<li>1 = Use default recovery message and URL.</li>
<li>2 = Custom recovery message is set.</li>
<li>3 = Custom recovery URL is set.</li>
<li>'yy' = string of max length 900.</li>
<li>'zz' = string of max length 500.</li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
> [!Note]
> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="systemdrivesrecoveryoptions"></a>**SystemDrivesRecoveryOptions**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).</p>
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.</p>
<p style="margin-left: 20px">The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.</p>
<p style="margin-left: 20px">In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.</p>
<p style="margin-left: 20px">Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.</p>
<p style="margin-left: 20px">Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.</p>
<p style="margin-left: 20px">Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.</p>
> [!Note]
> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
<p style="margin-left: 20px">If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.</p>
<p style="margin-left: 20px">If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.</p>
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="OSAllowDRA_Name" value="xx"/><data id="OSRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="OSRecoveryKeyUsageDropDown_Name" value="yy"/><data id="OSHideRecoveryPage_Name" value="xx"/><data id="OSActiveDirectoryBackup_Name" value="xx"/><data id="OSActiveDirectoryBackupDropDown_Name" value="zz"/><data id="OSRequireActiveDirectoryBackup_Name" value="xx"/>
```
<p style="margin-left: 20px">The possible values for 'xx' are:</p>
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
<li></li>
</ul>
<p style="margin-left: 20px">The possible values for 'yy' are:</p>
<ul>
<li>2 = Allowed</li>
<li>1 = Required</li>
<li>0 = Disallowed</li>
</ul>
<p style="margin-left: 20px">The possible values for 'zz' are:</p>
<ul>
<li>2 = Store recovery passwords only</li>
<li>1 = Store recovery passwords and key packages</li>
<li></li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="fixeddrivesrecoveryoptions"></a>**FixedDrivesRecoveryOptions**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (FDVRecoveryUsage_Name).</p>
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.</p>
<p style="margin-left: 20px">The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.</p>
<p style="margin-left: 20px">In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.</p>
<p style="margin-left: 20px">Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.</p>
<p style="margin-left: 20px">Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.</p>
<p style="margin-left: 20px">Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.</p>
<p style="margin-left: 20px">Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.</p>
> [!Note]
> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
<p style="margin-left: 20px">If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.</p>
<p style="margin-left: 20px">If this setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.</p>
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="FDVAllowDRA_Name" value="xx"/><data id="FDVRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="FDVRecoveryKeyUsageDropDown_Name" value="yy"/><data id="FDVHideRecoveryPage_Name" value="xx"/><data id="FDVActiveDirectoryBackup_Name" value="xx"/><data id="FDVActiveDirectoryBackupDropDown_Name" value="zz"/><data id="FDVRequireActiveDirectoryBackup_Name" value="xx"/>
```
<p style="margin-left: 20px">The possible values for 'xx' are:</p>
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
<p style="margin-left: 20px">The possible values for 'yy' are:</p>
<ul>
<li>2 = Allowed</li>
<li>1 = Required</li>
<li>0 = Disallowed</li>
</ul>
<p style="margin-left: 20px">The possible values for 'zz' are:</p>
<ul>
<li>2 = Store recovery passwords only</li>
<li>1 = Store recovery passwords and key packages</li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="fixeddrivesrequireencryption"></a>**FixedDrivesRequireEncryption**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).</p>
<p style="margin-left: 20px">This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.</p>
<p style="margin-left: 20px">If you enable this setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.</p>
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/>
```
<p style="margin-left: 20px">If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="removabledrivesrequireencryption"></a>**RemovableDrivesRequireEncryption**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).</p>
<p style="margin-left: 20px">This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.</p>
<p style="margin-left: 20px">If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.</p>
<p style="margin-left: 20px">If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.</p>
<p style="margin-left: 20px">If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.</p>
> [!Note]
> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="RDVCrossOrg" value="xx"/>
```
<p style="margin-left: 20px">The possible values for 'xx' are:</p>
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
### SyncML example
The following example is provided to show proper format and should not be taken as a recommendation.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<!-- Phone only policy -->
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Replace>
<!-- All of the following policies are only supported on desktop SKU -->
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;EncryptionMethodWithXtsOsDropDown_Name&quot; value=&quot;4&quot;/&gt;
&lt;data id=&quot;EncryptionMethodWithXtsFdvDropDown_Name&quot; value=&quot;7&quot;/&gt;
&lt;data id=&quot;EncryptionMethodWithXtsRdvDropDown_Name&quot; value=&quot;4&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;ConfigureNonTPMStartupKeyUsage_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;ConfigureTPMStartupKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;ConfigurePINUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;ConfigureTPMPINKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;ConfigureTPMUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;MinPINLength&quot; value=&quot;6&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;RecoveryMessage_Input&quot; value=&quot;blablablabla&quot;/&gt;
&lt;data id=&quot;PrebootRecoveryInfoDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;RecoveryUrl_Input&quot; value=&quot;blablabla&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;OSAllowDRA_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;OSRecoveryPasswordUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;OSRecoveryKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;OSHideRecoveryPage_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;OSActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;OSActiveDirectoryBackupDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;OSRequireActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;FDVAllowDRA_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;FDVRecoveryPasswordUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;FDVRecoveryKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;FDVHideRecoveryPage_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;FDVActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;FDVActiveDirectoryBackupDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;FDVRequireActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;RDVCrossOrg&quot; value=&quot;true&quot;/&gt;
</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**
<p style="margin-left: 20px">Allows the Admin to disable the warning prompt for other disk encryption on the user machines.</p>
<p style="margin-left: 20px">The following list shows the supported values:</p>
- 0 Disables the warning prompt.
- 1 (default) Warning prompt allowed.
<p style="margin-left: 20px">Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>110</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/DisableWarningForOtherDiskEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
```

601
windows/client-management/mdm/bitlocker-ddf-file.md Normal file
View File

@ -0,0 +1,601 @@
---
title: BitLocker DDF file
description: BitLocker DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# BitLocker DDF file
This topic shows the OMA DM device description framework (DDF) for the **BitLocker** configuration service provider.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>BitLocker</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/BitLocker</MIME>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>RequireStorageCardEncryption</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to require storage card encryption on the device.
The format is integer.
This policy is only valid for mobile SKU.
Sample value for this node to enable this policy:
1
Disabling the policy will not turn off the encryption on the storage card. But will stop prompting the user to turn it on.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RequireDeviceEncryption</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption.
The format is integer.
Sample value for this node to enable this policy:
1
Disabling the policy will not turn off the encryption on the system drive. But will stop prompting the user to turn it on.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EncryptionMethodByDriveType</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511).
If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.”
The format is string.
Sample value for this node to enable this policy and set the encryption methods is:
&lt;enabled/&gt;&lt;data id=&quot;EncryptionMethodWithXtsOsDropDown_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;EncryptionMethodWithXtsFdvDropDown_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;EncryptionMethodWithXtsRdvDropDown_Name&quot; value=&quot;xx&quot;/&gt;
EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives.
EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
The possible values for 'xx' are:
3 = AES-CBC 128
4 = AES-CBC 256
6 = XTS-AES 128
7 = XTS-AES 256
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP EncryptionMethodWithXts_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SystemDrivesRequireStartupAuthentication</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.
Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.
If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.
If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.
Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;ConfigureNonTPMStartupKeyUsage_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;ConfigureTPMStartupKeyUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;ConfigurePINUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;ConfigureTPMPINKeyUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;ConfigureTPMUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;
ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
All of the below settings are for computers with a TPM.
ConfigureTPMStartupKeyUsageDropDown_Name = Configure TPM startup key.
ConfigurePINUsageDropDown_Name = Configure TPM startup PIN.
ConfigureTPMPINKeyUsageDropDown_Name = Configure TPM startup key and PIN.
ConfigureTPMUsageDropDown_Name = Configure TPM startup.
The possible values for 'xx' are:
true = Explicitly allow
false = Policy not set
The possible values for 'yy' are:
2 = Optional
1 = Required
0 = Disallowed
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP ConfigureAdvancedStartup_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SystemDrivesMinimumPINLength</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.
If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;MinPINLength&quot; value=&quot;xx&quot;/&gt;
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP MinimumPINLength_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SystemDrivesRecoveryMessage</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
If you set the "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).
If you set the "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
If you set the "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
Note: Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;PrebootRecoveryInfoDropDown_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;RecoveryMessage_Input&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;RecoveryUrl_Input&quot; value=&quot;zz&quot;/&gt;
The possible values for 'xx' are:
0 = Empty
1 = Use default recovery message and URL.
2 = Custom recovery message is set.
3 = Custom recovery URL is set.
'yy' = string of max length 900.
'zz' = string of max length 500.
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP PrebootRecoveryInfo_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SystemDrivesRecoveryOptions</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.
The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.
Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
Note: If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;OSAllowDRA_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;OSRecoveryPasswordUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;OSRecoveryKeyUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;OSHideRecoveryPage_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;OSActiveDirectoryBackup_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;OSActiveDirectoryBackupDropDown_Name&quot; value=&quot;zz&quot;/&gt;&lt;data id=&quot;OSRequireActiveDirectoryBackup_Name&quot; value=&quot;xx&quot;/&gt;
The possible values for 'xx' are:
true = Explicitly allow
false = Policy not set
The possible values for 'yy' are:
2 = Allowed
1 = Required
0 = Disallowed
The possible values for 'zz' are:
2 = Store recovery passwords only
1 = Store recovery passwords and key packages
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP OSRecoveryUsage_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FixedDrivesRecoveryOptions</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.
The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.
Note: If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" data field is set, a recovery password is automatically generated.
If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;FDVAllowDRA_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;FDVRecoveryPasswordUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;FDVRecoveryKeyUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;FDVHideRecoveryPage_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;FDVActiveDirectoryBackup_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;FDVActiveDirectoryBackupDropDown_Name&quot; value=&quot;zz&quot;/&gt;&lt;data id=&quot;FDVRequireActiveDirectoryBackup_Name&quot; value=&quot;xx&quot;/&gt;
The possible values for 'xx' are:
true = Explicitly allow
false = Policy not set
The possible values for 'yy' are:
2 = Allowed
1 = Required
0 = Disallowed
The possible values for 'zz' are:
2 = Store recovery passwords only
1 = Store recovery passwords and key packages
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP FDVRecoveryUsage_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FixedDrivesRequireEncryption</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP FDVDenyWriteAccess_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RemovableDrivesRequireEncryption</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
Note: This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;RDVCrossOrg&quot; value=&quot;xx&quot;/&gt;
The possible values for 'xx' are:
true = Explicitly allow
false = Policy not set
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP RDVDenyWriteAccess_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```

51
windows/client-management/mdm/bootstrap-csp.md Normal file
View File

@ -0,0 +1,51 @@
---
title: BOOTSTRAP CSP
description: BOOTSTRAP CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: b8acbddc-347f-4543-a45b-ad2ffae3ffd0
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# BOOTSTRAP CSP
The BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device.
> **Note**  BOOTSTRAP CSP is only supported in Windows 10 Mobile.
 
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
 
The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
![bootstrap csp (cp)](images/provisioning-csp-bootstrap-cp.png)
<a href="" id="context-allow"></a>**CONTEXT-ALLOW**
Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value.
<a href="" id="provurl"></a>**PROVURL**
Required. Specifies the location of a Trusted Provisioning Server (TPS). The PROVURL value must be a complete URL string with a maximum length of 256 characters.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

116
windows/client-management/mdm/browserfavorite-csp.md Normal file
View File

@ -0,0 +1,116 @@
---
title: BrowserFavorite CSP
description: BrowserFavorite CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 5d2351ff-2d6a-4273-9b09-224623723cbf
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# BrowserFavorite CSP
The BrowserFavorite configuration service provider is used to add and remove URLs from the favorites list on a device.
> **Note**  BrowserFavorite CSP is only supported in Windows Phone 8.1.
 
The BrowserFavorite configuration service provider manages only the favorites at the root favorite folder level. It does not manage subfolders under the root favorite folder nor does it manage favorites under a subfolder.
> **Note**  
This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_INTERNET\_EXPLORER\_FAVORITES capabilities to be accessed from a network configuration application.
 
The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
![browserfavorite csp (cp)](images/provisioning-csp-browserfavorite-cp.png)
<a href="" id="favorite-name-------------"></a>***favorite name***
Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
> **Note**  The *favorite name* should contain only characters that are valid in the Windows file system. The invalid characters are: \\ / : \* ? " &lt; &gt; |
 
Adding the same favorite twice adds only one occurrence to the Favorites list. If a favorite is added when another favorite with the same name but a different URL is already in the Favorites list, the existing favorite is replaced with the new favorite.
<a href="" id="url"></a>**URL**
Optional. Specifies the complete URL for the favorite.
## OMA client provisioning examples
Adding a new browser favorite.
``` syntax
<?xml version="1.0" encoding="UTF-8" ?>
<wap-provisioningdoc>
<characteristic type="BrowserFavorite">
<characteristic type="Help and how-to">
<parm name="URL" value="http://www.microsoft.com/windowsphone/en-US/howto/wp7/default.aspx"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Elements</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>noparm</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top-level query: Yes</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

122
windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md Normal file
View File

@ -0,0 +1,122 @@
---
title: Bulk assign and reclaim seats from users
description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Windows Store for Business.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 99E2F37D-1FF3-4511-8969-19571656780A
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Bulk assign and reclaim seats from users
The **Bulk assign and reclaim seats from users** operation returns reclaimed or assigned seats in the Windows Store for Business.
## Request
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Method</th>
<th>Request URI</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>POST</p></td>
<td><p>https:<span></span>//bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats</p></td>
</tr>
</tbody>
</table>
 
### URI parameters
The following parameters may be specified in the request URI.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Parameter</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>productId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier for an application that is used by the Store for Business.</p></td>
</tr>
<tr class="even">
<td><p>skuId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier that specifies a specific SKU of an application.</p></td>
</tr>
<tr class="odd">
<td><p>username</p></td>
<td><p>string</p></td>
<td><p>Requires UserPrincipalName (UPN). User name of the target user account.</p></td>
</tr>
<tr class="even">
<td><p>seatAction</p></td>
<td><p>[SeatAction](data-structures-windows-store-for-business.md#seataction)</p></td>
<td></td>
</tr>
</tbody>
</table>
 
## Response
### Response body
The response body contains [BulkSeatOperationResultSet](data-structures-windows-store-for-business.md#bulkseatoperationresultset).
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Error code</th>
<th>Description</th>
<th>Retry</th>
<th>Data field</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>404</p></td>
<td><p>Not found</p></td>
<td></td>
<td><p>Item type: Inventory</p>
<p>Values: ProductId/SkuId</p></td>
</tr>
</tbody>
</table>
 
 

172
windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md Normal file
View File

@ -0,0 +1,172 @@
---
title: Bulk enrollment
description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10.
MS-HAID:
- 'p\_phdevicemgmt.bulk\_enrollment'
- 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool'
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: DEB98FF3-CC5C-47A1-9277-9EF939716C87
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Bulk enrollment
Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 desktop and mobile devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
## Typical use cases
- Set up devices in bulk for large organizations to be managed by MDM.
- Set up kiosks, such as ATMs or point-of-sale (POS) terminals.
- Set up school computers.
- Set up industrial machinery.
- Set handheld POS devices.
On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can log in to use it. This is especially useful in getting a large number of desktop ready to use within a domain.
On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
> **Note**  
> - Bulk-join is not supported in Azure Active Directory Join.
> - Bulk enrollment does not work in Intune standalone enviroment.
> - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console.
 
## What you need
- Windows 10 devices
- Windows Imaging and Configuration Designer (ICD) tool
To get the ICD tool, download the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information about the ICD tool, see [Windows Imaging and Configuration Designer](https://msdn.microsoft.com/library/windows/hardware/dn916113) and [Getting started with Windows ICD](https://msdn.microsoft.com/library/windows/hardware/dn916112).
- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.)
- Wi-Fi credentials, computer name scheme, and anything else required by your organization.
Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain.
## Create and apply a provisioning package for on-premise authentication
Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Click **Advanced Provisioning**.
![icd start page](images/bulk-enrollment7.png)
3. Enter a project name and click **Next**.
4. Select **All Windows editions**, since Provisioning CSP is common to all Windows 10 editions, then click **Next**.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
6. Expand **Runtime settings** &gt; **Workplace**.
7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**.
The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
Here is the list of available settings:
- **AuthPolicy** - Select **OnPremise**.
- **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
- **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - Password
For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
Here is the screenshot of the ICD at this point.
![bulk enrollment screenshot](images/bulk-enrollment.png)
9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
10. When you are done adding all the settings, on the **File** menu, click **Save**.
11. On the main menu click **Export** &gt; **Provisioning package**.
![icd menu for export](images/bulk-enrollment2.png)
12. Enter the values for your package and specify the package output location.
![enter package information](images/bulk-enrollment3.png)
![enter additonal information for package information](images/bulk-enrollment4.png)
![specify file location](images/bulk-enrollment6.png)
13. Click **Build**.
![icb build window](images/bulk-enrollment5.png)
14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
15. Apply the package to your devices.
## Create and apply a provisioning package for certificate authentication
Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Click **Advanced Provisioning**.
3. Enter a project name and click **Next**.
4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows 10 editions.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
6. Specify the certificate.
1. Go to **Runtime settings** &gt; **Certificates** &gt; **ClientCertificates**.
2. Enter a **CertificateName** and then click **Add**.
3. Enter the **CertificatePasword**.
4. For **CertificatePath**, browse and select the certificate to be used.
5. Set **ExportCertificate** to False.
6. For **KeyLocation**, select **Software only**.
![icd certificates section](images/bulk-enrollment8.png)
7. Specify the workplace settings.
1. Got to **Workplace** &gt; **Enrollments**.
2. Enter the **UPN** for the enrollment and then click **Add**.
The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
Here is the list of available settings:
- **AuthPolicy** - Select **Certificate**.
- **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
- **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - the certificate thumbprint.
For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (e.g., **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
9. When you are done adding all the settings, on the **File** menu, click **Save**.
10. Export and build the package (steps 10-13 in the procedure above).
11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
12. Apply the package to your devices.
## Apply a provisioning package
Here's the list of topics about applying a provisioning package:
- [Apply a package on the first-run setup screen (out-of-the-box experience)](https://technet.microsoft.com/itpro/windows/deploy/provision-pcs-for-initial-deployment#apply-package) - topic in Technet.
- [Apply a package to a Windows 10 desktop edition image](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN
- [Apply a package to a Windows 10 Mobile image](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx#to_apply_a_provisioning_package_to_a_mobile_image) - topic in MSDN.
- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - topic below
## Apply a package from the Settings menu
1. Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
2. Click **Add or remove a provisioning package**.
3. Click **Add a package**.
## <a href="" id="validate-that-the-provisioning-package-was-applied-"></a>Validate that the provisioning package was applied
1. Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
2. Click **Add or remove a provisioning package**.
You should see the your package listed.
## Retry logic in case of a failure
If the provisioning engine receives a failure from a CSP it will retry to provision 3 times in a row.
If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry 4 times at a decaying rate of 15 minutes -&gt; 1 hr -&gt; 4 hr -&gt; "Next System Start". These attempts will be run from a SYSTEM context.
It will also retry to apply the provisioning each time it is launched, if started from somewhere else as well.
In addition, provisioning will be restarted in a SYSTEM context after a login and the system has been idle ([details on idle conditions](https://msdn.microsoft.com/library/windows/desktop/aa383561.aspx)).
## Other provisioning topics
Here are links to step-by-step provisioning topics in Technet.
- [Provision PCs with apps and certificates for initial deployment](https://technet.microsoft.com/itpro/windows/deploy/provision-pcs-with-apps-and-certificates)
- [Provision PCs with common settings for initial deployment](https://technet.microsoft.com/itpro/windows/deploy/provision-pcs-for-initial-deployment)
 

71
windows/client-management/mdm/cellularsettings-csp.md Normal file
View File

@ -0,0 +1,71 @@
---
title: CellularSettings CSP
description: CellularSettings CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: ce8b6f16-37ca-4aaf-98b0-306d12e326df
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CellularSettings CSP
The CellularSettings configuration service provider is used to configure cellular settings on a mobile device.
> [!Note]
> Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
The following image shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
![provisioning\-csp\-cellularsettings](images/provisioning-csp-cellularsettings.png)
<a href="" id="dataroam"></a>**DataRoam**
<p style="margin-left: 20px"> Optional. Integer. Specifies the default roaming value. Valid values are:</p>
<table style="margin-left: 20px"><table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Setting</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>0</p></td>
<td><p>Dont roam</p></td>
</tr>
<tr class="even">
<td><p>1</p></td>
<td><p>Dont roam (or Domestic roaming if applicable)</p></td>
</tr>
<tr class="odd">
<td><p>2</p></td>
<td><p>Roam</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

516
windows/client-management/mdm/certificate-authentication-device-enrollment.md Normal file
View File

@ -0,0 +1,516 @@
---
title: Certificate authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 57DB3C9E-E4C9-4275-AAB5-01315F9D3910
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Certificate authentication device enrollment
This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
> **Note**  To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107).
## In this topic
- [Discovery service](#discovery-service)
- [Enrollment policy web service](#enrollment-policy-web-service)
- [Enrollment web service](#enrollment-web-service)
For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
## Discovery Service
The following example shows the discovery service request.
``` syntax
POST /EnrollmentServer/Discovery.svc HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
User-Agent: Windows Enrollment Client
Host: EnterpriseEnrollment.Contoso.com
Content-Length: xxx
Cache-Control: no-cache
<?xml version="1.0"?>
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover
</a:Action>
<a:MessageID>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc
</a:To>
</s:Header>
<s:Body>
<Discover xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment/">
<request xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<EmailAddress>user@contoso.com</EmailAddress>
<OSEdition>101</OSEdition> <!--New in Windows 10-->
<OSVersion>10.0.0.0</OSVersion> <!--New in Windows 10-->
<RequestVersion>3.0</RequestVersion> <!--Updated in Windows 10-->
<DeviceType>WindowsPhone</DeviceType> <!--Legacy in Windows 10 for Windows Phone/Handheld-->
<ApplicationVersion>10.0.0.0</ApplicationVersion>
<AuthPolicies>Certificate</AuthPolicies> <!--New in Windows 10-->
</request>
</Discover>
</s:Body>
</s:Envelope>
```
The following example shows the discovery service response.
```
HTTP/1.1 200 OK
Content-Length: 865
Content-Type: application/soap+xml; charset=utf-8
Server: EnterpriseEnrollment.Contoso.com
Date: Tue, 02 Aug 2012 00:32:56 GMT
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse
</a:Action>
<ActivityId>
d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8
</ActivityId>
<a:RelatesTo>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:RelatesTo>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<DiscoverResponse
xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment">
<DiscoverResult>
<AuthPolicy>Certificate</AuthPolicy>
<EnrollmentVersion>3.0</EnrollmentVersion>
<EnrollmentPolicyServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentPolicyServiceUrl>
<EnrollmentServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentServiceUrl>
</DiscoverResult>
</DiscoverResponse>
</s:Body>
</s:Envelope>
```
## Enrollment policy web service
The following example shows the policy web service request.
```
POST /ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
User-Agent: Windows Enrollment Client
Host: enrolltest.contoso.com
Content-Length: xxxx
Cache-Control: no-cache
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies
</a:Action>
<a:MessageID>urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To>
<wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken wsse:ValueType="X509v3” wsse:Id="mytoken” wsse:EncodingType=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken>
</wsse:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetPolicies
xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
<client>
<lastUpdate xsi:nil="true"/>
<preferredLanguage xsi:nil="true"/>
</client>
<requestFilter xsi:nil="true"/>
</GetPolicies>
<ac:AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<ac:ContextItem Name="OSPlatform">
<ac:Value>WindowsMobile</ac:Value>
<ac:ContextItem Name="OSEdition">
<ac:Value>Core</ac:Value>
<ac:ContextItem Name="OSVersion">
<ac:Value>9.0.9999.0</ac:Value>
<ac:ContextItem Name="DeviceName">
<ac:Value>MY_WINDOWS_DEVICE</ac:Value>
<ac:ContextItem Name="MACAddress">
<ac:Value>FF:FF:FF:FF:FF:FF</ac:Value>
<ac:ContextItem Name="IMEI">
<ac:Value>49015420323756</ac:Value>
<ac:ContextItem Name="EnrollmentType">
<ac:Value>Lite</ac:Value>
<ac:ContextItem Name="DeviceType">
<ac:Value>WindowsPhone</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="ApplicationVersion">
<ac:Value>10.0.0.0</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="DeviceID">
<ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value>
</ac:AdditionalContext>
</s:Body>
</s:Envelope>
```
The following snippet shows the policy web service response.
```
HTTP/1.1 200 OK
Date: Fri, 03 Aug 2012 20:00:00 GMT
Server: <sever name here>
Content-Type: application/soap+xml
Content-Length: xxxx
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<s:Envelope
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse
</a:Action>
<ActivityId CorrelationId="08d2997e-e8ac-4c97-a4ce-d263e62186ab"
xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">
d4335d7c-e192-402d-b0e7-f5d550467e3c</ActivityId>
<a:RelatesTo>urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598</a:RelatesTo>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetPoliciesResponse
xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
<response>
<policyFriendlyName xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<nextUpdateHours xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<policiesNotChanged xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<policies>
<policy>
<policyOIDReference>0</policyOIDReference>
<cAs xsi:nil="true" />
<attributes>
<policySchema>3</policySchema>
<privateKeyAttributes>
<minimalKeyLength>2048</minimalKeyLength>
<keySpec xsi:nil="true" />
<keyUsageProperty xsi:nil="true" />
<permissions xsi:nil="true" />
<algorithmOIDReference xsi:nil="true" />
<cryptoProviders xsi:nil="true" />
</privateKeyAttributes>
<supersededPolicies xsi:nil="true" />
<privateKeyFlags xsi:nil="true" />
<subjectNameFlags xsi:nil="true" />
<enrollmentFlags xsi:nil="true" />
<generalFlags xsi:nil="true" />
<hashAlgorithmOIDReference>0</hashAlgorithmOIDReference>
<rARequirements xsi:nil="true" />
<keyArchivalAttributes xsi:nil="true" />
<extensions xsi:nil="true" />
</attributes>
</policy>
</policies>
</response>
<cAs xsi:nil="true" />
<oIDs>
<oID>
<value>1.3.14.3.2.29</value>
<group>1</group>
<oIDReferenceID>0</oIDReferenceID>
<defaultName>szOID_OIWSEC_sha1RSASign</defaultName>
</oID>
</oIDs>
</GetPoliciesResponse>
</s:Body>
</s:Envelope>
```
## Enrollment web service
The following example shows the enrollment web service request.
```
POST /EnrollmentServer/DeviceEnrollmentWebService.svc HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
User-Agent: Windows Enrollment Client
Host: enrolltest.contoso.com
Content-Length: 3242
Cache-Control: no-cache
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep
</a:Action>
<a:MessageID>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To>
<wsse:Security s:mustUnderstand="1">
<wsu:Timestamp>
<wsu:Created>2014-10-16T17:55:13Z</wsu:Created> <!-- Start time in UTC -->
<wsu:Expires>2014-10-16T17:57:13Z </wsu:Expires> <!-- Expiration time in UTC -->
</wsu:Timestamp>
<wsse:BinarySecurityToken wsse:ValueType=
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken
wsse:EncodingType=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
wsu:Id=”29801C2F-F26B-46AD-984B-AFAEFB545FF8”>
B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken> <!—X509v3 Exported Public Cert, B64 Encoded, includes ID reference value to reference -->
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
1.0.xsd”>
<ds:SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1/>
<ds:Reference URI="#envelop">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256"/>
<ds:DigestValue>MessageDigestValue</ds:DigestValue>
<!-- Digest value of message using digest method -->
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SignedMessageBlob/ds:SignatureValue>
<!-- Digest value of message signed with the users private key using RSA-SHA256 -->
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="29801C2F-F26B-46AD-984B-AFAEFB545FF8"
ValueType="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-x509-token-profile-1.0#X509"/>
<!-— References BinarySecurityToken that contains public key to verify signature -->
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</s:Header>
<s:Body>
<wst:RequestSecurityToken>
<wst:TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</wst:TokenType>
<wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
<wsse:BinarySecurityToken
ValueType="http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">
DER format PKCS#10 certificate request in Base64 encoding Insterted Here
</wsse:BinarySecurityToken>
<ac:AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<ac:ContextItem Name="OSEdition"> <!--New in Windows 10-->
<ac:Value></ac:Value>
<ac:ContextItem Name="OSVersion"> <!--New in Windows 10-->
<ac:Value>10.0.0.0</ac:Value>
<ac:ContextItem Name="DeviceName"> <!--New in Windows 10-->
<ac:Value>MY_WINDOWS_DEVICE</ac:Value>
<ac:ContextItem Name="MAC"> <!--New in Windows 10 -->
<ac:Value>FF:FF:FF:FF:FF:FF</ac:Value>
<ac:ContextItem Name="MAC"> <!--New in Windows 10 -->
<ac:Value>CC:CC:CC:CC:CC:CC</ac:Value>
<ac:ContextItem Name="IMEI"> <!--New in Windows 10-->
<ac:Value>49015420323756</ac:Value>
<ac:ContextItem Name="EnrollmentType"> <!--New in Windows 10-->
<ac:Value>Full</ac:Value>
<ac:ContextItem Name="DeviceType"> <!—From Windows Phone 8.1-->
<ac:Value>WindowsPhone</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="ApplicationVersion"> <!—From Windows Phone 8.1-->
<ac:Value>10.0.0.0</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="DeviceID"> <!--From Handheld 8.1 -->
<ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value>
<ac:ContextItem Name="EnrollmentData">
<ac:Value>3J4KLJ9SDJFAL93JLAKHJSDFJHAO83HAKSHFLAHSKFNHNPA2934342</ac:Value>
<ac:ContextItem Name="TargetedUserLoggedIn">
<ac:Value>True</ac:Value>
</ac:AdditionalContext>
</wst:RequestSecurityToken>
</s:Body>
</s:Envelope>
```
The following example shows the enrollment web service response.
```
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10231
Content-Type: application/soap+xml; charset=utf-8
Server: Microsoft-IIS/7.0
Date: Fri, 03 Aug 2012 00:32:59 GMT
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<Action s:mustUnderstand="1" >
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep
</Action>
<a:RelatesTo>urn:uuid:81a5419a-496b-474f-a627-5cdd33eed8ab</a:RelatesTo>
<o:Security s:mustUnderstand="1" xmlns:o=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2012-08-02T00:32:59.420Z</u:Created>
<u:Expires>2012-08-02T00:37:59.420Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<RequestSecurityTokenResponse>
<TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</TokenType>
<RequestedSecurityToken>
<BinarySecurityToken
ValueType=
"http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc"
EncodingType=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken
</BinarySecurityToken>
</RequestedSecurityToken>
<RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0
</RequestID>
</RequestSecurityTokenResponse>
</RequestSecurityTokenResponseCollection>
</s:Body>
</s:Envelope>
```
The following example shows the encoded provisioning XML.
```
<wap-provisioningdoc version="1.1">
<characteristic type="CertificateStore">
<characteristic type="Root">
<characteristic type="System">
<characteristic type="031336C933CC7E228B88880D78824FB2909A0A2F">
<parm name="EncodedCertificate" value="B64 encoded cert insert here" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="CertificateStore">
<characteristic type="My" >
<characteristic type="User">
<characteristic type="F9A4F20FC50D990FDD0E3DB9AFCBF401818D5462">
<parm name="EncodedCertificate" value="B64EncodedCertInsertedHere" />
</characteristic>
<characteristic type="PrivateKeyContainer"/>
<!-- This tag must be present for XML syntax correctness. -->
</characteristic>
<characteristic type="WSTEP">
<characteristic type="Renew">
<!—If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. -->
<parm name="ROBOSupport" value="true" datatype="boolean"/>
<parm name="RenewPeriod" value="60" datatype="integer"/>
<parm name="RetryInterval" value="4" datatype="integer"/>
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="APPLICATION">
<parm name="APPID" value="w7"/>
<parm name="PROVIDER-ID" value="TestMDMServer"/>
<parm name="NAME" value="Microsoft"/>
<parm name="ADDR" value="https://DM.contoso.com:443/omadm/Windows.ashx"/>
<parm name="CONNRETRYFREQ" value="6" />
<parm name="INITIALBACKOFFTIME" value="30000" />
<parm name="MAXBACKOFFTIME" value="120000" />
<parm name="BACKCOMPATRETRYDISABLED" />
<parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" />
<parm name="SSLCLIENTCERTSEARCHCRITERIA" value=
"Subject=DC%3dcom%2cDC%3dmicrosoft%2cCN%3dUsers%2cCN%3dAdministrator&amp;amp;Stores=My%5CUser"/>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="CLIENT"/>
<parm name="AAUTHTYPE" value="DIGEST"/>
<parm name="AAUTHSECRET" value="password1"/>
<parm name="AAUTHDATA" value="B64encodedBinaryNonceInsertedHere"/>
</characteristic>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="APPSRV"/>
<parm name="AAUTHTYPE" value="BASIC"/>
<parm name="AAUTHNAME" value="testclient"/>
<parm name="AAUTHSECRET" value="password2"/>
</characteristic>
</characteristic>
<characteristic type="DMClient"> <!-- In Windows 10, an enrollment server should use DMClient CSP XML to configure DM polling schedules. -->
<characteristic type="Provider">
<!-- ProviderID in DMClient CSP must match to PROVIDER-ID in w7 APPLICATION characteristics -->
<characteristic type="TestMDMServer">
<parm name="UPN" value="UserPrincipalName" datatype="string" />
<characteristic type="Poll">
<parm name="NumberOfFirstRetries" value="8" datatype="integer" />
<parm name="IntervalForFirstSetOfRetries" value="15" datatype="integer" />
<parm name="NumberOfSecondRetries" value="5" datatype="integer" />
<parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
<parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedules retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
<parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" />
<parm name="PollOnLogin" value="true" datatype="boolean" />
</characteristic>
<parm name="EntDeviceName" value="Administrator_Windows" datatype="string" />
</characteristic>
</characteristic>
</characteristic>
<!-- For Windows 10, we have removed EnterpriseAppManagement from the enrollment
protocol. This configuration service provider is being deprecated for Windows 10. -->
</wap-provisioningdoc>
```
 

187
windows/client-management/mdm/certificate-renewal-windows-mdm.md Normal file
View File

@ -0,0 +1,187 @@
---
title: Certificate Renewal
description: The enrolled client certificate expires after a period of use.
MS-HAID:
- 'p\_phdevicemgmt.certificate\_renewal'
- 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm'
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: F910C50C-FF67-40B0-AAB0-CA7CE02A9619
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Certificate Renewal
The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account, and the enrollment client gets a new client certificate from the enrollment server and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
> **Note**  Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
 
## In this topic
- [Automatic certificate renewal request](#automatic-certificate-renewal-request)
- [Certificate renewal schedule configuration](#certificate-renewal-schedule-configuration)
- [Certificate renewal response](#certificate-renewal-response)
- [Configuration service providers supported during MDM enrollment and certificate renewal](#configuration-service-providers-supported-during-mdm-enrollment-and-certificate-renewal)
<a href="" id="automatic-certificate-renewal"></a>
## Automatic certificate renewal request
In addition to manual certificate renewal, Windows includes support for automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that does not require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to perform client Transport Layer Security (TLS). The user security token is not needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate based client authentication for automatic certificate renewal.
> **Note**  Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
 
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that is enrolled using WAB authentication (meaning that the AuthPolicy is set to Federated). It also means if the server supports WAB authentication, the MDM certificate enrollment server MUST also support client TLS in order to renew the MDM client certificate.
For the device that is enrolled with the OnPremise authentication method, for backward compatibility, the default renewal method is user manual certificate renewal. However, for Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal via CertificateStore CSPs ROBOSupport node under CertificateStore/My/WSTEP/Renew URL. For more information about Renew related configuration settings, refer to the CertificateStore configuration service provider.
Unlike manual certificate renewal where there is an additional b64 encoding for PKCS\#7 message content, with automatic renewal, the PKCS\#7 message content isnt b64 encoded separately.
During the automatic certificate renewal process, if the root certificate isnt trusted by the device, the authentication will fail. Make sure using one of device pre-installed root certificates or provision the root cert over a DM session via CertificateStore Configuration Service Provider.
During the automatic certificate renew process, the device will deny HTTP redirect request from the server unless it is the same redirect URL that the user explicitly accepted during the initial MDM enrollment process.
The following example shows the details of an automatic renewal request.
```
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep</a:Action>
<a:MessageID>urn:uuid:61a17f2c-42e9-4a45-9c85-f15c1c8baee8</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://dm.contoso.com/EnrollmentService/DeviceEnrollmentService.svc</a:To>
<o:Security s:mustUnderstand="1" xmlns:o=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2011-07-11T19:49:08.579Z</u:Created>
<u:Expires>2011-07-11T19:54:08.579Z</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-2a734df6-b227-4e60-82a8-ed53c574b718-5">
<o:Username>user@contoso.com</o:Username>
<o:Password o:Type=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<RequestSecurityToken xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</TokenType>
<RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew</RequestType>
<BinarySecurityToken
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#PKCS7"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
BinarySecurityTokenInsertedHere
</BinarySecurityToken>
<AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<ContextItem Name="DeviceType">
<Value>WindowsPhone</Value>
</ContextItem>
<ContextItem Name="ApplicationVersion">
<Value>5.0.7616.0</Value>
</ContextItem>
</AdditionalContext>
</RequestSecurityToken>
</s:Body>
</s:Envelope>
```
<a href="" id="certificate-renewal-schedule"></a>
## Certificate renewal schedule configuration
In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry to be configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSPs RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, instead of only reminding the user once, the Windows device will remind the user with a prompt dialog at every renewal retry time until the certificate is expired.
For more information about the parameters, see the CertificateStore configuration service provider.
Unlike manual certificate renewal, the device will not perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure that the device has enough time to perform an automatic renewal, we recommend that you set a renewal period a couple months (40-60 days) before the certificate expires and set the renewal retry interval to be every few days such as every 4-5 days instead every 7 days (weekly) to increase the chance that the device will a connectivity at different days of the week.
> **Note**  For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
> For Windows Phone 8.1 devices upgraded to Windows 10 Mobile, renewal will happen at the configured ROBO internal. This is expected and by design.
 
## Certificate renewal response
When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment):
- The signature of the PKCS\#7 BinarySecurityToken is correct
- The clients certificate is in the renewal period
- The certificate was issued by the enrollment service
- The requester is the same as the requester for initial enrollment
- For standard clients request, the client hasnt been blocked
After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA.
> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
The following example shows the details of an certificate renewal response.
```
<wap-provisioningdoc version="1.1">
<characteristic type="CertificateStore">
<!-- Root certificate provision is only needed here if it is not in the device already --> <characteristic type="Root">
<characteristic type="System">
<characteristic type="EncodedRootCertHashInsertedHere ">
<parm name="EncodedCertificate" value="EncodedCertInsertedHere" />
</characteristic>
</characteristic>
</characteristic>
<characteristic type="My" >
<characteristic type="User">
<characteristic type="EncodedClientCertHashInsertedHere">
<parm name="EncodedCertificate" value="EncodedCertInsertedHere" />
<characteristic type="PrivateKeyContainer"/>
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="APPLICATION">
<parm name="PROVIDER-ID" value="TestMDMServer"/>
</characteristic>
</wap-provisioningdoc>
```
> **Note**  The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
 
<a href="" id="csp-support-during-enrollment-and-renewal"></a>
## Configuration service providers supported during MDM enrollment and certificate renewal
The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider.
- CertificateStore
- w7 APPLICATION
- DMClient
- EnterpriseAppManagement
 

640
windows/client-management/mdm/certificatestore-csp.md Normal file
View File

@ -0,0 +1,640 @@
---
title: CertificateStore CSP
description: CertificateStore CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 0fe28629-3cc3-42a0-91b3-3624c8462fd3
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CertificateStore CSP
The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates.
> **Note**   The CertificateStore configuration service provider does not support installing client certificates.
 
For the CertificateStore CSP, you cannot use the Replace command unless the node already exists.
The following diagram shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
![provisioning\-csp\-certificatestore](images/provisioning-csp-certificatestore.png)
<a href="" id="root-system"></a>**Root/System**
Defines the certificate store that contains root, or self-signed, certificates.
Supported operation is Get.
> **Note**  Root/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing root certificates.
 
<a href="" id="ca-system"></a>**CA/System**
Defines the certificate store that contains cryptographic information, including intermediary certification authorities.
Supported operation is Get.
> **Note**  CA/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing CA certificates.
 
<a href="" id="my-user"></a>**My/User**
Defines the certificate store that contains public keys for client certificates. This is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications.
Supported operation is Get.
> **Note**  My/User is case sensitive.
 
<a href="" id="my-system"></a>**My/System**
Defines the certificate store that contains public key for client certificate. This is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading.
Supported operation is Get.
> **Note**  My/System is case sensitive.
 
<a href="" id="certhash"></a>***CertHash***
Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
Supported operations are Get, Delete, and Replace.
<a href="" id="certhash-encodedcertificate"></a>***CertHash*/EncodedCertificate**
Required. Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="certhash-issuedby"></a>***CertHash*/IssuedBy**
Required. Returns the name of the certificate issuer. This is equivalent to the *Issuer* member in the CERT\_INFO data structure.
Supported operation is Get.
<a href="" id="certhash-issuedto"></a>***CertHash*/IssuedTo**
Required. Returns the name of the certificate subject. This is equivalent to the *Subject* member in the CERT\_INFO data structure.
Supported operation is Get.
<a href="" id="certhash-validfrom"></a>***CertHash*/ValidFrom**
Required. Returns the starting date of the certificate's validity. This is equivalent to the *NotBefore* member in the CERT\_INFO structure.
Supported operation is Get.
<a href="" id="certhash-validto"></a>***CertHash*/ValidTo**
Required. Returns the expiration date of the certificate. This is equivalent to the *NotAfter* member in the CERT\_INFO structure.
Supported operation is Get.
<a href="" id="certhash-templatename"></a>***CertHash*/TemplateName**
Required. Returns the certificate template name.
Supported operation is Get.
<a href="" id="my-scep"></a>**My/SCEP**
Required for Simple Certificate Enrollment Protocol (SCEP) certificate enrollment. The parent node grouping the SCEP certificate related settings.
Supported operation is Get.
> **Note**  Please use the ClientCertificateInstall CSP to install SCEP certificates moving forward. All enhancements to SCEP will happen in that CSP.
 
<a href="" id="my-scep-uniqueid"></a>**My/SCEP/****_UniqueID_**
Required for SCEP certificate enrollment. A unique ID to differentiate certificate enrollment requests. Format is node.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="my-scep-uniqueid-install"></a>**My/SCEP/*UniqueID*/Install**
Required for SCEP certificate enrollment. Parent node to group SCEP certificate install related request. Format is node.
Supported operations are Add, Replace, and Delete.
> **Note**   Though the children nodes under Install support Replace commands, after the Exec command is sent to the device, the device takes the values that are set when the Exec command is accepted. You should not expect the node value change that occurs after the Exec command is accepted to impact the current undergoing enrollment. You should check the Status node value and make sure that the device is not at an unknown stage before changing the children node values.
 
<a href="" id="my-scep-uniqueid-install-serverurl"></a>**My/SCEP/*UniqueID*/Install/ServerURL**
Required for SCEP certificate enrollment. Specifies the certificate enrollment server. The server could specify multiple server URLs separated by a semicolon. Value type is string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-challenge"></a>**My/SCEP/*UniqueID*/Install/Challenge**
Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Value type is chr.
Supported operations are Get, Add, Replace, and Delete.
Challenge will be deleted shortly after the Exec command is accepted.
<a href="" id="my-scep-uniqueid-install-ekumapping"></a>**My/SCEP/*UniqueID*/Install/EKUMapping**
Required. Specifies the extended key usages and subject to SCEP server configuration. The list of OIDs are separated by a plus sign **+**, such as OID1+OID2+OID3. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-keyusage"></a>**My/SCEP/*UniqueID*/Install/KeyUsage**
Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or fourth (0x80) or both bits set. If the value does not have those bits set, configuration will fail. Value type is an integer.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-subjectname"></a>**My/SCEP/*UniqueID*/Install/SubjectName**
Required. Specifies the subject name. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-keyprotection"></a>**My/SCEP/*UniqueID*/Install/KeyProtection**
Optional. Specifies the location of the private key. Although the private key is protected by TPM, it is not protected with TPM PIN. SCEP enrolled certificate does not support TPM PIN protection.
Supported values are one of the following:
- 1 Private key is protected by device TPM.
- 2 Private key is protected by device TPM if the device supports TPM.
- 3 (default) Private key is only saved in the software KSP.
Value type is an integer.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-retrydelay"></a>**My/SCEP/*UniqueID*/Install/RetryDelay**
Optional. Specifies the device retry waiting time in minutes when the SCEP server sends the pending status. Default value is 5 and the minimum value is 1. Value type is an integer.
Supported operations are Get, Add, and Delete.
<a href="" id="my-scep-uniqueid-install-retrycount"></a>**My/SCEP/*UniqueID*/Install/RetryCount**
Optional. Special to SCEP. Specifies the device retry times when the SCEP server sends pending status. Value type is an integer. Default value is 3. Max value cannot be larger than 30. If it is larger than 30, the device will use 30. The min value is 0, which means no retry.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-templatename"></a>**My/SCEP/*UniqueID*/Install/TemplateName**
Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server; therefore, the MDM server typically does not need to provide it. Value type is chr.
Supported operations are Get, Add, and Delete.
<a href="" id="my-scep-uniqueid-install-keylength"></a>**My/SCEP/*UniqueID*/Install/KeyLength**
Required for enrollment. Specify private key length (RSA). Value type is an integer. Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-hashalgorithm"></a>**My/SCEP/*UniqueID*/Install/HashAlgorithm**
Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by the MDM server. If multiple hash algorithm families are specified, they must be separated with +.
Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-cathumbprint"></a>**My/SCEP/*UniqueID*/Install/CAThumbprint**
Required. Specifies the root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it does not match, the authentication fails. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-subjectalternativenames"></a>**My/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
Optional. Specifies the subject alternative name. Multiple alternative names can be specified. Each name is the combination of name format+actual name. Refer to the name type definition in MSDN. Each pair is separated by semicolon. For example, multiple subject alternative names are presented in the format *&lt;nameformat1&gt;*+*&lt;actual name1&gt;*;*&lt;name format 2&gt;*+*&lt;actual name2&gt;*. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-validperiod"></a>**My/SCEP/*UniqueID*/Install/ValidPeriod**
Optional. Specifies the units for the valid period. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
Valid values are one of the following:
- Days (default)
- Months
- Years
> **Note**   The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server.
 
<a href="" id="my-scep-uniqueid-install-validperiodunits"></a>**My/SCEP/*UniqueID*/Install/ValidPeriodUnits**
Optional. Specifies desired number of units used in validity period and subject to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. The valid period specified by MDM overwrites the valid period specified in the certificate template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. Value type is an integer.
Supported operations are Get, Add, Delete, and Replace.
> **Note**   The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server.
 
<a href="" id="my-scep-uniqueid-install-enroll"></a>**My/SCEP/*UniqueID*/Install/Enroll**
Required. Triggers the device to start the certificate enrollment. The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node does not contain a value.
Supported operation is Exec.
<a href="" id="my-wstep-certthumbprint"></a>**My/WSTEP/CertThumbprint**
Optional. Returns the current MDM client certificate thumbprint. If renewal succeeds, it shows the renewed certificate thumbprint. If renewal fails or is in progress, it shows the thumbprint of the cert that needs to be renewed. Value type is chr.
Supported operation is Get.
<a href="" id="my-scep-uniqueid-status"></a>**My/SCEP/*UniqueID*/Status**
Required. Specifies the latest status for the certificate due to enrollment request. Value type is chr.
Supported operation is Get.
Valid values are one of the following:
- 1 Finished successfully.
- 2 Pending. The device has not finished the action, but has received the SCEP server pending response.
- 16 - Action failed.
- 32 Unknown.
<a href="" id="my-scep-uniqueid-errorcode"></a>**My/SCEP/*UniqueID*/ErrorCode**
Optional. The integer value that indicates the HRESULT of the last enrollment error code.
Supported operation is Get.
<a href="" id="my-scep-uniqueid-certthumbprint"></a>**My/SCEP/*UniqueID*/CertThumbprint**
Optional. Specifies the current certificate thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. Value type is chr.
Supported operation is Get.
<a href="" id="my-scep-uniqueid-respondentserverurl"></a>**My/SCEP/*UniqueID*/RespondentServerUrl**
Required. Returns the URL of the SCEP server that responded to the enrollment request. Value type is string.
Supported operation is Get.
<a href="" id="my-wstep"></a>**My/WSTEP**
Required for MDM enrolled device. The parent node that hosts the MDM enrollment client certificate related settings that is enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node.
Supported operation is Get.
<a href="" id="my-wstep-renew"></a>**My/WSTEP/Renew**
Optional. The parent node to group renewal related settings.
Supported operation is Get.
<a href="" id="my-wstep-renew-serverurl"></a>**My/WSTEP/Renew/ServerURL**
Optional. Specifies the URL of certificate renewal server. If this node does not exist, the client uses the initial certificate enrollment URL.
> **Note**  The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service.
 
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="my-wstep-renew-renewalperiod"></a>**My/WSTEP/Renew/RenewalPeriod**
Optional. The time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server cannot set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It is recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity.
The default value is 42 and the valid values are 1 1000. Value type is an integer.
Supported operations are Add, Get, Delete, and Replace.
> **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
 
<a href="" id="my-wstep-renew-retryinterval"></a>**My/WSTEP/Renew/RetryInterval**
Optional. Specifies the retry interval (in days) when the previous renewal failed. It applies to both manual certificate renewal and ROBO automatic certificate renewal. The retry schedule stops at the certificate expiration date.
For ROBO renewal failure, the client retries the renewal periodically until the device reaches the certificate expiration date. This parameter specifies the waiting period for ROBO renewal retries.
For manual retry failure, there are no built-in retries. The user can retry later. At the next scheduled certificate renewal retry period, the device prompts the credential dialog again.
The default value is 7 and the valid values are 1 1000 AND =&lt; RenewalPeriod, otherwise it will result in errors. Value type is an integer.
Supported operations are Add, Get, Delete, and Replace.
> **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
 
<a href="" id="my-wstep-renew-robosupport"></a>**My/WSTEP/Renew/ROBOSupport**
Optional. Notifies the client if the MDM enrollment server supports ROBO auto certificate renewal. Value type is bool.
ROBO is the only supported renewal method for Windows 10. This value is ignored and always considered to be true.
Supported operations are Add, Get, Delete, and Replace.
> **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
 
<a href="" id="my-wstep-renew-status"></a>**My/WSTEP/Renew/Status**
Required. Shows the latest action status for this certificate. Value type is an integer.
Supported operation is Get.
Supported values are one of the following:
- 0 Not started.
- 1 Renewal in progress.
- 2 Renewal succeeded.
- 3 Renewal failed.
<a href="" id="my-wstep-renew-errorcode"></a>**My/WSTEP/Renew/ErrorCode**
Optional. If certificate renewal fails, this integer value indicates the HRESULT of the last error code during the renewal process. Value type is an integer.
Supported operation is Get.
<a href="" id="my-wstep-renew-lastrenewalattempttime"></a>**My/WSTEP/Renew/LastRenewalAttemptTime**
Added in Windows 10, version 1607. Time of the last attempted renewal.
Supported operation is Get.
<a href="" id="my-wstep-renew-renewnow"></a>**My/WSTEP/Renew/RenewNow**
Added in Windows 10, version 1607. Initiates a renewal now.
Supported operation is Execute.
<a href="" id="my-wstep-renew-retryafterexpiryinterval"></a>**My/WSTEP/Renew/RetryAfterExpiryInterval**
Added in Windows 10, version 1703. How long after the enrollment certificate has expired before trying to renew.
Supported operations are Add, Get, and Replace.
## Examples
Add a root certificate to the MDM server.
``` syntax
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/CertificateStore/Root/System/<CertificateHashInsertedhere>/EncodedCertificate
</LocURI>
</Target>
<Data>B64EncodedCertInsertedHere</Data>
<Meta>
<Format xmlns="syncml:metinf">b64</Format>
</Meta>
</Item>
</Add>
```
Get all installed client certificates.
``` syntax
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/CertificateStore/My/User?list=StructData
</LocURI>
</Target>
</Item>
</Get>
```
Delete a root certificate.
``` syntax
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/CertificateStore/Root/System/<CertificateHashInsertedHere>
</LocURI>
</Target>
</Item>
</Delete>
```
Configure the device to enroll a client certificate through SCEP.
``` syntax
<Atomic>
<CmdID>100</CmdID>
<Add>
<CmdID>1</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Add>
<CmdID>2</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/RetryCount</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>3</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/RetryDelay</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>4</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyUsage</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>160</Data>
</Item>
</Add>
<Add>
<CmdID>5</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1024</Data>
</Item>
</Add>
<Add>
<CmdID>6</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/HashAlgorithm</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>SHA-1</Data>
</Item>
</Add>
<Add>
<CmdID>7</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/SubjectName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>CN=AnnaLee</Data>
</Item>
</Add>
<Add>
<CmdID>8</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/SubjectAlternativeNames</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>11+tom@MyDomain.Contoso.com;3+MyDomain.Contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>9</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ValidPeriod</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>Years</Data>
</Item>
</Add>
<Add>
<CmdID>10</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ValidPeriodUnits</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>11</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/EKUMapping</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2</Data>
</Item>
</Add>
<Add>
<CmdID>12</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyProtection</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>3</Data>
</Item>
</Add>
<Add>
<CmdID>13</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ServerURL</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>https://contoso.com/certsrv/ctcep.dll</Data>
</Item>
</Add>
<Add>
<CmdID>14</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/Challenge</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>ChallengeInsertedHere</Data>
</Item>
</Add>
<Add>
<CmdID>15</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/CAThumbprint</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>CAThumbprintInsertedHere</Data>
</Item>
</Add>
<Exec>
<CmdID>16</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/Enroll</LocURI>
</Target>
</Item>
</Exec>
</Atomic>
```
Configure the device to automatically renew an MDM client certificate with the specified renew period and retry interval.
``` syntax
<Atomic>
<CmdID>1</CmdID>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/ROBOSupport</LocURI></Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Replace>
<Replace>
<CmdID>3</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/RenewPeriod</LocURI></Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>60</Data>
</Item>
</Replace>
<Replace>
<CmdID>4</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/RetryInterval</LocURI></Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>4</Data>
</Item>
</Replace>
</Atomic>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

1680
windows/client-management/mdm/certificatestore-ddf-file.md Normal file
View File

File diff suppressed because it is too large Load Diff

33
windows/client-management/mdm/cleanpc-csp.md Normal file
View File

@ -0,0 +1,33 @@
---
title: CleanPC CSP
description: The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CleanPC CSP
The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703.
The following diagram shows the CleanPC configuration service provider in tree format.
![CleanPC csp diagram](images/provisioning-csp-cleanpc.png)
<a href="" id="--device-vendor-msft-cleanpc"></a>**./Device/Vendor/MSFT/CleanPC**
<p style="margin-left: 20px">The root node for the CleanPC configuration service provider.</p>
<a href="" id="cleanpcwithoutretaininguserdata"></a>**CleanPCWithoutRetainingUserData**
<p style="margin-left: 20px">An integer specifying a CleanPC operation without any retention of user data.
<p style="margin-left: 20px">The only supported operation is Execute.
<a href="" id="cleanpcwithoutretaininguserdata"></a>**CleanPCRetainingUserData**
<p style="margin-left: 20px">An integer specifying a CleanPC operation with retention of user data.
<p style="margin-left: 20px">The only supported operation is Execute.

108
windows/client-management/mdm/cleanpc-ddf.md Normal file
View File

@ -0,0 +1,108 @@
---
title: CleanPC DDF
description: This topic shows the OMA DM device description framework (DDF) for the CleanPC configuration service provider. DDF files are used only with OMA DM provisioning XML.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: A2182898-1577-4675-BAE5-2A3A9C2AAC9B
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CleanPC DDF
This topic shows the OMA DM device description framework (DDF) for the **CleanPC** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>CleanPC</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Allow removal of user installed and pre-installed applications, with option to persist user data</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/CleanPC</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>CleanPCWithoutRetainingUserData</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<Description>CleanPC operation without any retention of User data</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CleanPCRetainingUserData</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<Description>CleanPC operation with retention of User data</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```
 
 

675
windows/client-management/mdm/clientcertificateinstall-csp.md Normal file
View File

@ -0,0 +1,675 @@
---
title: ClientCertificateInstall CSP
description: ClientCertificateInstall CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# ClientCertificateInstall CSP
The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates.
For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
> **Note**  
Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
The following image shows the ClientCertificateInstall configuration service provider in tree format.
![clientcertificateinstall csp](images/provisioning-csp-clientcertificateinstall.png)
<a href="" id="device-or-user"></a>**Device or User**
<p style="margin-left: 20px">For device certificates, use **./Device/Vendor/MSFT** path and for user certificates use **./User/Vendor/MSFT** path.
<a href="" id="clientcertificateinstall"></a>**ClientCertificateInstall**
<p style="margin-left: 20px">The root node for the ClientCertificateInstaller configuration service provider.
<a href="" id="clientcertificateinstall-pfxcertinstall"></a>**ClientCertificateInstall/PFXCertInstall**
<p style="margin-left: 20px">Required for PFX certificate installation. The parent node grouping the PFX certificate related settings.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid"></a>**ClientCertificateInstall/PFXCertInstall/****_UniqueID_**
<p style="margin-left: 20px">Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
<p style="margin-left: 20px">The data type format is node.
<p style="margin-left: 20px">Supported operations are Get, Add, and Delete .
<p style="margin-left: 20px">Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-keylocation"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation**
<p style="margin-left: 20px">Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<p style="margin-left: 20px">The data type is an integer corresponding to one of the following values:
| Value | Description |
|-------|---------------------------------------------------------------------------------------------------------------|
| 1 | Install to TPM if present, fail if not present. |
| 2 | Install to TPM if present. If not present, fallback to software. |
| 3 | Install to software. |
| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified |
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
<p style="margin-left: 20px">ptional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
<p style="margin-left: 20px">Date type is string.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertblob"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**
<p style="margin-left: 20px">CRYPT\_DATA\_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation.
<p style="margin-left: 20px">The data type format is binary.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<p style="margin-left: 20px">If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten.
<p style="margin-left: 20px">If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail.
<p style="margin-left: 20px">In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT\_DATA\_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](http://go.microsoft.com/fwlink/p/?LinkId=523871).
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpassword"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**
<p style="margin-left: 20px">Password that protects the PFX blob. This is required if the PFX is password protected.
<p style="margin-left: 20px">Data Type is a string.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpasswordencryptiontype"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType**
<p style="margin-left: 20px">Optional. Used to specify whtether the PFX certificate password is encrypted with the MDM certificate by the MDM sever.
<p style="margin-left: 20px">The data type is int. Valid values:
- 0 - Password is not encrypted.
- 1 - Password is encrypted with the MDM certificate.
- 2 - Password is encrypted with custom certificate.
<p style="margin-left: 20px">When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxkeyexportable"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
<p style="margin-left: 20px">Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM.
> **Note**  You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
 
<p style="margin-left: 20px">The data type bool.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-thumbprint"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint**
<p style="margin-left: 20px">Returns the thumbprint of the installed PFX certificate.
<p style="margin-left: 20px">The datatype is a string.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-status"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status**
<p style="margin-left: 20px">Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
<p style="margin-left: 20px">Data type is an integer.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpasswordencryptionstore"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore**
<p style="margin-left: 20px">Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep"></a>**ClientCertificateInstall/SCEP**
<p style="margin-left: 20px">Node for SCEP.
> **Note**  An alert is sent after the SCEP certificate is installed.
 
<a href="" id="clientcertificateinstall-scep-uniqueid"></a>**ClientCertificateInstall/SCEP/****_UniqueID_**
<p style="margin-left: 20px">A unique ID to differentiate different certificate installation requests.
<p style="margin-left: 20px">Supported operations are Get, Add, Replace, and Delete.
<a href="" id="clientcertificateinstall-scep-uniqueid-install"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install**
<p style="margin-left: 20px">A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.
<p style="margin-left: 20px">Supported operations are Get, Add, Replace, and Delete.
> **Note**  Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values.
 
<a href="" id="clientcertificateinstall-scep-uniqueid-install-serverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**
<p style="margin-left: 20px">Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-challenge"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge**
<p style="margin-left: 20px">Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-ekumapping"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**
<p style="margin-left: 20px">Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus **+**. For example, *OID1*+*OID2*+*OID3*.
Data type is string.
<p style="margin-left: 20px">Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesnt have those bits set, the configuration will fail.
<p style="margin-left: 20px">Data type is int.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectname"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
<p style="margin-left: 20px">Required. Specifies the subject name.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyprotection"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**
<p style="margin-left: 20px">Optional. Specifies where to keep the private key.
> **Note**  Even if the private key is protected by TPM, it is not protected with a TPM PIN.
 
<p style="margin-left: 20px">The data type is an integer corresponding to one of the following values:
| Value | Description |
|-------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | Private key protected by TPM. |
| 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. |
| 3 | (Default) Private key saved in software KSP. |
| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specifed, otherwise enrollment will fail. |
 
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-retrydelay"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
<p style="margin-left: 20px">Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
<p style="margin-left: 20px">Data type format is an integer.
<p style="margin-left: 20px">The default value is 5.
<p style="margin-left: 20px">The minimum value is 1.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-retrycount"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount**
<p style="margin-left: 20px">Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status.
<p style="margin-left: 20px">Data type is integer.
<p style="margin-left: 20px">Default value is 3.
<p style="margin-left: 20px">Maximum value is 30. If the value is larger than 30, the device will use 30.
<p style="margin-left: 20px">Minimum value is 0, which indicates no retry.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-templatename"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
<p style="margin-left: 20px">Optional. OID of certificate template name.
> **Note**  This name is typically ignored by the SCEP server; therefore the MDM server typically doesnt need to provide it.
 
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keylength"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength**
<p style="margin-left: 20px">Required for enrollment. Specify private key length (RSA).
<p style="margin-left: 20px">Data type is integer.
<p style="margin-left: 20px">Valid values are 1024, 2048, and 4096.
<p style="margin-left: 20px">For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-hashalgorithm"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm**
<p style="margin-left: 20px">Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with **+**.
<p style="margin-left: 20px">For Windows Hello for Business, only SHA256 is the supported algorithm.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-cathumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**
<p style="margin-left: 20px">Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectalternativenames"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
<p style="margin-left: 20px">Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information.
<p style="margin-left: 20px">Each pair is separated by semicolon. For example, multiple SANs are presented in the format of *\[name format1\]*+*\[actual name1\]*;*\[name format 2\]*+*\[actual name2\]*.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiod"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod**
<p style="margin-left: 20px">Optional. Specifies the units for the valid certificate period.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Valid values are:
- Days (Default)
- Months
- Years
> **Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
 
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiodunits"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
<p style="margin-left: 20px">Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
<p style="margin-left: 20px">Data type is string.
>**Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
 
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-containername"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
<p style="margin-left: 20px">Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-customtexttoshowinprompt"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt**
<p style="margin-left: 20px">Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-enroll"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**
<p style="margin-left: 20px">Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.
<p style="margin-left: 20px">The date type format is Null, meaning this node doesnt contain a value.
<p style="margin-left: 20px">The only supported operation is Execute.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-aadkeyidentifierlist"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**
<p style="margin-left: 20px">Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-certthumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint**
<p style="margin-left: 20px">Optional. Specifies the current certificates thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
<p style="margin-left: 20px">If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">The only supported operation is Get.
<a href="" id="clientcertificateinstall-scep-uniqueid-status"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Status**
<p style="margin-left: 20px">Required. Specifies latest status of the certificated during the enrollment request.
<p style="margin-left: 20px">Data type is string. Valid values:
<p style="margin-left: 20px">The only supported operation is Get.
| Value | Description |
|-------|---------------------------------------------------------------------------------------------------|
| 1 | Finished successfully |
| 2 | Pending (the device hasnt finished the action but has received the SCEP server pending response) |
| 16 | Action failed |
| 32 | Unknown |
 
<a href="" id="clientcertificateinstall-scep-uniqueid-errorcode"></a>**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**
<p style="margin-left: 20px">Optional. An integer value that indicates the HRESULT of the last enrollment error code.
<p style="margin-left: 20px">The only supported operation is Get.
<a href="" id="clientcertificateinstall-scep-uniqueid-respondentserverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/RespondentServerUrl**
<p style="margin-left: 20px">Required. Returns the URL of the SCEP server that responded to the enrollment request.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">The only supported operation is Get.
## Example
Enroll a client certificate through SCEP.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Atomic>
<Add>
<CmdID>301</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere></LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Add>
<CmdID>302</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/RetryCount</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>303</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/RetryDelay</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>304</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/KeyUsage</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>160</Data>
</Item>
</Add>
<Add>
<CmdID>305</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/KeyLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1024</Data>
</Item>
</Add>
<Add>
<CmdID>306</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/HashAlgorithm</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>SHA-1</Data>
</Item>
</Add>
<Add>
<CmdID>307</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/SubjectName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>CN=ContosoCSP</Data>
</Item>
</Add>
<Add>
<CmdID>308</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/SubjectAlternativeNames</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data></Data>
</Item>
</Add>
<Add>
<CmdID>309</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/ValidPeriod</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>Years</Data>
</Item>
</Add>
<Add>
<CmdID>310</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/ValidPeriodUnits</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>311</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/EKUMapping</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2+1.3.6.1.5.5.7.3.2</Data>
</Item>
</Add>
<Add>
<CmdID>312</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/KeyProtection</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>3</Data>
</Item>
</Add>
<Add>
<CmdID>313$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/ServerURL</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>http://constoso.com/certsrv/mscep/mscep.dll</Data>
</Item>
</Add>
<Add>
<CmdID>314</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/Challenge</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>1234CB055B7EBF384A9486A22B7559A5</Data>
</Item>
</Add>
<Add>
<CmdID>315</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/CAThumbprint</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>12345087E648875D1DF5D9F9FF89DD10</Data>
</Item>
</Add>
<Exec>
<CmdID>316</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/Enroll</LocURI>
</Target>
</Item>
</Exec>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate fro "My" store.
``` syntax
<SyncML>
<SyncBody>
<Delete>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C</LocURI>
</Target>
</Item>
</Delete>
<Atomic>
<CmdID>$CmdID$</CmdID>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/KeyLocation</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>2</Data>
</Item>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertBlob</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>Base64_Encode_Cert_Blob</Data>
</Item>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPassword</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>Base64Encoded_Encrypted_Password_Blog</Data>
</Item>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionType</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>2</Data>
</Item>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionStore</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>My</Data>
</Item>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXKeyExportable</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

1070
windows/client-management/mdm/clientcertificateinstall-ddf-file.md Normal file
View File

File diff suppressed because it is too large Load Diff

317
windows/client-management/mdm/cm-cellularentries-csp.md Normal file
View File

@ -0,0 +1,317 @@
---
title: CM\_CellularEntries CSP
description: CM\_CellularEntries CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: f8dac9ef-b709-4b76-b6f5-34c2e6a3c847
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CM\_CellularEntries CSP
The CM\_CellularEntries configuration service provider is used to configure the General Packet Radio Service (GPRS) entries on the device. It defines each GSM data access point.
> [!Note]
> Starting in the next major update to Windows 10, the CM\_CellularEntries CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application.
The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
![cm\-cellularentries csp](images/provisioning-csp-cm-cellularentries.png)
<a href="" id="entryname"></a>**_entryname_**
<p style="margin-left: 20px">Defines the name of the connection.</p>
<p style="margin-left: 20px">The [CMPolicy configuration service provider](cmpolicy-csp.md) uses the value of *entryname* to identify the connection that is associated with a policy and [CM\_ProxyEntries configuration service provider](cm-proxyentries-csp.md) uses the value of *entryname* to identify the connection that is associated with a proxy.</p>
<a href="" id="alwayson"></a>**AlwaysOn**
<p style="margin-left: 20px">Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available.
<p style="margin-left: 20px">A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS.
<p style="margin-left: 20px">A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs.
<p style="margin-left: 20px">There must be at least one AlwaysOn Internet connection provisioned for the mobile operator.
<a href="" id="authtype"></a>**AuthType**
<p style="margin-left: 20px">Optional. Type: String. Specifies the method of authentication used for a connection.
<p style="margin-left: 20px">A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None".
<a href="" id="connectiontype"></a>**ConnectionType**
<p style="margin-left: 20px">Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available:
<table style="margin-left: 20px"><table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<tbody>
<tr class="odd">
<td><p>gprs</p></td>
<td><p>Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE).</p></td>
</tr>
<tr class="even">
<td><p>cdma</p></td>
<td><p>Used for CDMA type connections (1XRTT + EVDO).</p></td>
</tr>
<tr class="odd">
<td><p>lte</p></td>
<td><p>Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.</p></td>
</tr>
<tr class="even">
<td><p>legacy</p></td>
<td><p>Used for GPRS + GSM + EDGE + UMTS connections.</p></td>
</tr>
<tr class="odd">
<td><p>lte_iwlan</p></td>
<td><p>Used for GPRS type connections that may be offloaded over WiFi</p></td>
</tr>
<tr class="even">
<td><p>iwlan</p></td>
<td><p>Used for connections that are implemented over WiFi offload only</p></td>
</tr>
</tbody>
</table>
 
<a href="" id="desc-langid"></a>**Desc.langid**
<p style="margin-left: 20px">Optional. Specifies the UI display string used by the defined language ID.
<p style="margin-left: 20px"> A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as `Desc.0409` with a value of `"GPRS Connection"` will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no **Desc** parameter is provisioned for a given language, the system will default to the name used to create the entry.
<a href="" id="enabled"></a>**Enabled**
<p style="margin-left: 20px"> Specifies if the connection is enabled.
<p style="margin-left: 20px"> A value of "0" specifies that the connection is disabled. A value of "1" specifies that the connection is enabled.
<a href="" id="ipheadercompression"></a>**IpHeaderCompression**
<p style="margin-left: 20px"> Optional. Specifies if IP header compression is enabled.
<p style="margin-left: 20px"> A value of "0" specifies that IP header compression for the connection is disabled. A value of "1" specifies that IP header compression for the connection is enabled.
<a href="" id="password"></a>**Password**
<p style="margin-left: 20px"> Required if AuthType is set to a value other than "None". Specifies the password used to connect to the APN.
<a href="" id="swcompression"></a>**SwCompression**
<p style="margin-left: 20px"> Optional. Specifies if software compression is enabled.
<p style="margin-left: 20px"> A value of "0" specifies that software compression for the connection is disabled. A value of "1" specifies that software compression for the connection is enabled.
<a href="" id="username"></a>**UserName**
<p style="margin-left: 20px"> Required if AuthType is set to a value other than "None". Specifies the user name used to connect to the APN.
<a href="" id="userequiresmappingspolicy"></a>**UseRequiresMappingsPolicy**
<p style="margin-left: 20px"> Optional. Specifies if the connection requires a corresponding mappings policy.
<p style="margin-left: 20px"> A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present.
<p style="margin-left: 20px"> For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic.
<a href="" id="version"></a>**Version**
<p style="margin-left: 20px"> Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider.
<p style="margin-left: 20px"> This value must be "1" if included.
<a href="" id="gprsinfoaccesspointname"></a>**GPRSInfoAccessPointName**
<p style="margin-left: 20px"> Specifies the logical name to select the GPRS gateway. For more information about allowable values, see GSM specification 07.07 "10.1.1 Define PDP Context +CGDCONT".
<a href="" id="roaming"></a>**Roaming**
<p style="margin-left: 20px"> Optional. Type: Int. This parameter specifies the roaming conditions under which the connection should be activated. The following conditions are available:
- 0 - Home network only.
- 1 (default)- All roaming conditions (home and roaming).
- 2 - Home and domestic roaming only.
- 3 - Domestic roaming only.
- 4 - Non-domestic roaming only.
- 5 - Roaming only.
<a href="" id="oemconnectionid"></a>**OEMConnectionID**
<p style="margin-left: 20px"> Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value is not specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
<a href="" id="apnid"></a>**ApnId**
<p style="margin-left: 20px"> Optional. Type: Int. Specifies the purpose of the APN. If a value is not specified, the default value is "0" (none). This parameter is only used on LTE devices.
<a href="" id="iptype"></a>**IPType**
<p style="margin-left: 20px"> Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value is not specified, the default value is "IPv4".
> [!Warning]  
> Do not use IPv6 or IPv4v6xlat on a device or network that does not support IPv6. Data functionality will not work. In addition, the device will not be able to connect to a roaming network that does not support IPv6 unless you configure roaming connections with an IPType of IPv4v6.
 
<a href="" id="exemptfromdisablepolicy"></a>**ExemptFromDisablePolicy**
<p style="margin-left: 20px"> Added back in Windows 10, version 1511. Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value is not specified, the default value is "0" (not exempt).
<p style="margin-left: 20px"> To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed.
> [!Important]  
> Do not set ExemptFromDisablePolicy to "1", ExemptFromRoaming to "1", or UseRequiresMappingsPolicy to "1" for general purpose connections.
<p style="margin-left: 20px"> To avoid UX inconsistency with certain value combinations of ExemptFromDisablePolicy and AllowMmsIfDataIsOff, when you do not set ExemptFromDisablePolicy to 1 (default is 0), you should:
- Hide the toggle for AllowMmsIfDataIsOff by setting AllowMmsIfDataIsOffEnabled to 0 (default is 1)
- Set AllowMMSIfDataIsOff to 1 (default is 0)
 
<a href="" id="exemptfromroaming"></a>**ExemptFromRoaming**
<p style="margin-left: 20px"> Added back in Windows 10, version 1511. Optional. Type: Int. This should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value is not specified, the default value is "0" (not exempt).
<a href="" id="tetheringnai"></a>**TetheringNAI**
<p style="margin-left: 20px"> Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection is not a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value is not specified, the default value is "0".
<a href="" id="idledisconnecttimeout"></a>**IdleDisconnectTimeout**
<p style="margin-left: 20px"> Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds.
> [!Important]  
<p style="margin-left: 20px"> You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used.
 
> [!Note]  
> If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds.
 
<a href="" id="simiccid"></a>**SimIccId**
<p style="margin-left: 20px"> For single SIM phones, this parm is optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
<a href="" id="purposegroups"></a>**PurposeGroups**
<p style="margin-left: 20px"> Optional. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
- Internet - 3E5545D2-1137-4DC8-A198-33F1C657515F
- MMS - 53E2C5D3-D13C-4068-AA38-9C48FF2E55A8
- IMS - 474D66ED-0E4B-476B-A455-19BB1239ED13
- SUPL - 6D42669F-52A9-408E-9493-1071DCC437BD
- Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB (added in the next version of Windows 10)
- Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364 (added in the next version of Windows 10)
## Additional information
To delete a connection, you must first delete any associated proxies and then delete the connection. The following example shows how to delete the proxy and then the connection.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_ProxyEntries">
<nocharacteristic type="GPRS_Proxy"/>
</characteristic>
<characteristic type="CM_CellularEntries">
<nocharacteristic type="GPRS1"/>
</characteristic>
</wap-provisioningdoc>
```
## OMA client provisioning examples
Configuring a GPRS connection:
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="GPRSConn">
<parm name="ConnectionType" value="gprs" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="apn.adatum.com" />
</characteristic>
<parm name="AlwaysOn" value="0" />
<parm name="Enabled" value="1" />
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
Configuring an LTE connection:
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="LteConn">
<parm name="ConnectionType" value="lte" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="INTERNET_LTE" />
</characteristic>
<parm name="ApnId" value="0" />
<parm name="IPType" value="IPv4v6" />
<parm name="Enabled" value="1" />
<parm name="OemConnectionId" value="01234567-89AB-CDEF-0123-456789ABCDEF" />
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
Configuring a CDMA connection:
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="CDMAConn">
<parm name="Version" value="1"/>
<parm name="AuthType" value="chap" />
<parm name="ConnectionType" value="cdma"/>
<parm name="Enabled" value="1"/>
<parm name="AlwaysOn" value="0"/>
<parm name="UseRequiresMappingsPolicy" value="0"/>
<parm name="UserName" value="user@adatum.com"/>
<parm name="Password" value="fakeuserpassword"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>characteristic-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

153
windows/client-management/mdm/cm-proxyentries-csp.md Normal file
View File

@ -0,0 +1,153 @@
---
title: CM\_ProxyEntries CSP
description: CM\_ProxyEntries CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: f4c3dc71-c85a-4c68-9ce9-19f408ff7a0a
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CM\_ProxyEntries CSP
The CM\_ProxyEntries configuration service provider is used to configure proxy connections on the mobile device.
> **Note**  CM\_ProxyEntries CSP is only supported in Windows 10 Mobile.
 
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
 
The following diagram shows the CM\_ProxyEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP) and OMA Device Management(OMA DM). Support for OMA DM was added in Windows 10, version 1607.
![cm\-proxyentries csp (cp)](images/provisioning-csp-cm-proxyentries-cp.png)
<a href="" id="entryname"></a>**entryname**
Defines the name of the connection proxy.
Each cellular entry can have only one proxy entry. For example, an Internet connection can have no more than one HTTP proxy specified but it might also have a WAP proxy. If two applications need access to the same APN but one application needs a proxy and the other application cannot have a proxy, two entries can be created with different names for the same APN.
<a href="" id="connectionname"></a>**ConnectionName**
Specifies the name of the connection the proxy is associated with. This is the APN name of a connection configured using the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md).
<a href="" id="bypasslocal"></a>**BypassLocal**
Specifies if the proxy should be bypassed when local hosts are accessed by the device.
A value of "0" specifies that the proxy bypass for local hosts is disabled. A value of "1" specifies that the proxy bypass for local hosts is enabled.
<a href="" id="enable"></a>**Enable**
Specifies if the proxy is enabled.
A value of "0" specifies that the proxy is disabled. A value of "1" specifies that the proxy is enabled.
<a href="" id="exception"></a>**Exception**
Specifies a list of external hosts which should bypass the proxy when accessed.
The exception list is a semi-colon delimited list of host names. For example, to bypass the proxy when either MSN or Yahoo is accessed, the value for the Exception list would be "www.msn.com;www.yahoo.com".
<a href="" id="password"></a>**Password**
Specifies the password used to connect to the proxy.
Passwords are only required for WAP and SOCKS proxies and are not used for HTTP proxies. Queries of this parameter return a string composed of asterisks (\*).
When setting the password, passing in the same string causes the new password to be ignored and does not change the existing password.
<a href="" id="port"></a>**Port**
Specifies the port number of the proxy server.
<a href="" id="server"></a>**Server**
Specifies the name of the proxy server.
<a href="" id="type"></a>**Type**
Specifies the type of proxy connection for this entry.
The following list enumerates the values allowed for the Type parameter.
- "0" = Null proxy
- "1" = HTTP proxy
- "2" = WAP proxy
- "4" = SOCKS4 proxy
- "5" = SOCKS5 proxy
The Null proxy can be used to allow Connection Manager to treat one network as a super set of another network by creating a null proxy from one network to the other.
<a href="" id="username"></a>**UserName**
Specifies the username used to connect to the proxy.
## Additional information
To delete both a proxy and its associated connection, you must delete the proxy first, and then delete the connection. The following example shows how to delete the proxy and then the connection.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_ProxyEntries">
<nocharacteristic type="GPRS_Proxy"/>
</characteristic>
<characteristic type="CM_CellularEntries">
<nocharacteristic type="GPRS1"/>
</characteristic>
</wap-provisioningdoc>
```
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top level query: Yes</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

516
windows/client-management/mdm/cmpolicy-csp.md Normal file
View File

@ -0,0 +1,516 @@
---
title: CMPolicy CSP
description: CMPolicy CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 62623915-9747-4eb1-8027-449827b85e6b
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CMPolicy CSP
The CMPolicy configuration service provider defines rules that the Connection Manager uses to identify the correct connection for a connection request.
> **Note**  
This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
 
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicy configuration service provider can have multiple policies
**Policy Ordering**: There is no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phones default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
The following diagram shows the CMPolicy configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
![cmpolicy csp (dm,cp)](images/provisioning-csp-cmpolicy.png)
<a href="" id="policyname"></a>***policyName***
Defines the name of the policy.
<a href="" id="sid"></a>**SID**
The value of SID depends on the ClientType.
For Universal Windows Platform (UWP) app-based mapping policies, SID is the Package family name without curly brackets {}, not the application.
For non-UWP application-based mapping policies, SID is the application product ID in GUID format. The curly brackets {} around the GUID are required.
For host-based mapping policies, SID must be set to `*`.
<a href="" id="clienttype"></a>**ClientType**
Specifies the mapping policy type.
The following list describes the available mapping policy types:
- Application-based mapping policies are applied to applications. To specify this mapping type, use the value `app`.
- Host-based mapping policies are applied to all types of clients requesting connections to specified host(s). To specify this mapping type, use the value `*`.
<a href="" id="host"></a>**Host**
Specifies the name of a host pattern. The host name is matched to the connection request to select the right policy to use.
The host pattern can have two wild cards, "\*" and "+". The host pattern is not a URL pattern and there is no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com".
<a href="" id="orderedconnections"></a>**OrderedConnections**
Specifies whether the list of connections is in preference order.
A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
<a href="" id="connxxx"></a>**Conn****_XXX_**
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
<a href="" id="connectionid"></a>**ConnectionID**
Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter.
For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you have a connection configured by using the CM\_CellularEntries configuration service provider, the connection name could be the name of the connection. If you have a NAP configured with the NAPID set to “GPRS1”, the connection name could be “GPRS1@WAP”.
For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. The curly brackets {} around the GUID are required. The following connection types are available:
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Connection type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GSM</p></td>
<td><p>{A05DC613-E393-40ad-AA89-CCCE04277CD9}</p></td>
</tr>
<tr class="even">
<td><p>CDMA</p></td>
<td><p>{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}</p></td>
</tr>
<tr class="odd">
<td><p>Legacy 3GPP</p></td>
<td><p>{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}</p></td>
</tr>
<tr class="even">
<td><p>LTE</p></td>
<td><p>{2378E547-8312-46A5-905E-5C581E92693B}</p></td>
</tr>
<tr class="odd">
<td><p>Wi-Fi</p></td>
<td><p>{8568B401-858E-4B7B-B3DF-0FD4927F131B}</p></td>
</tr>
<tr class="even">
<td><p>Wi-Fi hotspot</p></td>
<td><p>{072FC7DC-1D93-40D1-9BB0-2114D7D73434}</p></td>
</tr>
</tbody>
</table>
 
For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Network type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GPRS</p></td>
<td><p>{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}</p></td>
</tr>
<tr class="even">
<td><p>1XRTT</p></td>
<td><p>{B1E700AE-A62F-49FF-9BBE-B880C995F27D}</p></td>
</tr>
<tr class="odd">
<td><p>EDGE</p></td>
<td><p>{C347F8EC-7095-423D-B838-7C7A7F38CD03}</p></td>
</tr>
<tr class="even">
<td><p>WCDMA UMTS</p></td>
<td><p>{A72F04C6-9BE6-4151-B5EF-15A53E12C482}</p></td>
</tr>
<tr class="odd">
<td><p>WCDMA FOMA</p></td>
<td><p>{B8326098-F845-42F3-804E-8CC3FF7B50B4}</p></td>
</tr>
<tr class="even">
<td><p>1XEVDO</p></td>
<td><p>{DD42DF39-EBDF-407C-8146-1685416401B2}</p></td>
</tr>
<tr class="odd">
<td><p>1XEVDV</p></td>
<td><p>{61BF1BFD-5218-4CD4-949C-241CA3F326F6}</p></td>
</tr>
<tr class="even">
<td><p>HSPA HSDPA</p></td>
<td><p>{047F7282-BABD-4893-AA77-B8B312657F8C}</p></td>
</tr>
<tr class="odd">
<td><p>HSPA HSUPA</p></td>
<td><p>{1536A1C6-A4AF-423C-8884-6BDDA3656F84}</p></td>
</tr>
<tr class="even">
<td><p>LTE</p></td>
<td><p>{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}</p></td>
</tr>
<tr class="odd">
<td><p>EHRPD</p></td>
<td><p>{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet 10Mbps</p></td>
<td><p>{97D3D1B3-854A-4C32-BD1C-C13069078370}</p></td>
</tr>
<tr class="odd">
<td><p>Ethernet 100Mbps</p></td>
<td><p>{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet Gbps</p></td>
<td><p>{556C1E6B-B8D4-448E-836D-9451BA4CCE75}</p></td>
</tr>
</tbody>
</table>
 
For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available:
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Device type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Cellular device</p></td>
<td><p>{F9A53167-4016-4198-9B41-86D9522DC019}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet</p></td>
<td><p>{97844272-00C7-4572-B20A-D8D861C095F2}</p></td>
</tr>
<tr class="odd">
<td><p>Bluetooth</p></td>
<td><p>{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}</p></td>
</tr>
<tr class="even">
<td><p>Virtual</p></td>
<td><p>{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}</p></td>
</tr>
</tbody>
</table>
 
<a href="" id="type"></a>**Type**
Specifies the type of connection being referenced. The following list describes the available connection types:
- `CMST_CONNECTION_NAME` A connection specified by name.
- `CMST_CONNECTION_TYPE` Any connection of a specified type.
- `CMST_CONNECTION_NETWORK_TYPE` Any connection of a specified network type.
- `CMST_CONNECTION_DEVICE_TYPE` Any connection of the specified device type.
## OMA client provisioning examples
Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="GPRSConn1">
<parm name="ConnectionType" value="gprs" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="apn.adatum.com" />
</characteristic>
<parm name="AlwaysOn" value="0" />
<parm name="Enabled" value="1" />
</characteristic>
</characteristic>
<characteristic type="CMPolicy">
<characteristic type="Policy1">
<parm name="SID" value="{A05D1234-F393-9385-AA89-CD3E049367D2}" />
<parm name="ClientType" value="app" />
<parm name="Host" value="*.+" />
<parm name="OrderedConnections" value="1" />
<characteristic type="Connections">
<characteristic type="Conn000">
<parm name="Type" value="CMST_CONNECTION_DEVICE_TYPE" />
<parm name="ConnectionId" value="{F9A53167-4016-4198-9B41-86D9522DC019}" />
</characteristic>
<characteristic type="Conn001">
<parm name="Type" value="CMST_CONNECTION_NETWORK_TYPE" />
<parm name="ConnectionId" value="{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}" />
</characteristic>
<characteristic type="Conn002">
<parm name="Type" value="CMST_CONNECTION_NAME" />
<parm name="ConnectionId" value="GPRSConn1" />
</characteristic>
<characteristic type="Conn003">
<parm name="Type" value="CMST_CONNECTION_TYPE" />
<parm name="ConnectionId" value="{072FC7DC-1D93-40d1-9BB0-2114D7D73434}" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="GPRSConn1">
<parm name="ConnectionType" value="gprs" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="apn.adatum.com" />
</characteristic>
<parm name="AlwaysOn" value="0" />
<parm name="Enabled" value="1" />
</characteristic>
</characteristic>
<characteristic type="CMPolicy">
<characteristic type="Policy3">
<parm name="SID" value="*" />
<parm name="ClientType" value="*" />
<parm name="Host" value="*.contoso.com" />
<parm name="OrderedConnections" value="1" />
<characteristic type="Connections">
<characteristic type="Conn000">
<parm name="Type" value="CMST_CONNECTION_DEVICE_TYPE" />
<parm name="ConnectionId" value="{F9A53167-4016-4198-9B41-86D9522DC019}" />
</characteristic>
<characteristic type="Conn001">
<parm name="Type" value="CMST_CONNECTION_NETWORK_TYPE" />
<parm name="ConnectionId" value="{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}" />
</characteristic>
<characteristic type="Conn002">
<parm name="Type" value="CMST_CONNECTION_NAME" />
<parm name="ConnectionId" value="GPRSConn1" />
</characteristic>
<characteristic type="Conn003">
<parm name="Type" value="CMST_CONNECTION_TYPE" />
<parm name="ConnectionId" value="{072FC7DC-1D93-40d1-9BB0-2114D7D73434}" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
## OMA DM examples
Adding an application-based mapping policy:
``` syntax
<SyncML>
<SyncBody>
<Atomic>
<CmdID>8000</CmdID>
<Add>
<CmdID>8051</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/SID</LocURI>
</Target>
<Data>{A05D1234-F393-9385-AA89-CD3E049367D2}</Data>
</Item>
</Add>
<Add>
<CmdID>8052</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/ClientType</LocURI>
</Target>
<Data>app</Data>
</Item>
</Add>
<Add>
<CmdID>8053</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/Host</LocURI>
</Target>
<Data>*.+</Data>
</Item>
</Add>
<Add>
<CmdID>8054</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/OrderedConnections</LocURI>
</Target>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>8055</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/Connections/Conn000/ConnectionId</LocURI>
</Target>
<Data>{A05DC613-E393-40AD-AA89-CCCE04277CD9}</Data>
</Item>
</Add>
<Add>
<CmdID>8056</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/Connections/Conn000/Type</LocURI>
</Target>
<Data>CMST_CONNECTION_DEVICE_TYPE</Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
Adding a host-based mapping policy:
``` syntax
<SyncML>
<SyncBody>
<Atomic>
<CmdID>8000</CmdID>
<Add>
<CmdID>8049</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/SID</LocURI>
</Target>
<Data>*</Data>
</Item>
</Add>
<Add>
<CmdID>8050</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/ClientType</LocURI>
</Target>
<Data>*</Data>
</Item>
</Add>
<Add>
<CmdID>8051</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/Host</LocURI>
</Target>
<Data>*.contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>8052</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/OrderedConnections</LocURI>
</Target>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>8053</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/Connections/Conn000/ConnectionId</LocURI>
</Target>
<Data>{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}</Data>
</Item>
</Add>
<Add>
<CmdID>8054</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/Connections/Conn000/Type</LocURI>
</Target>
<Data>CMST_CONNECTION_NETWORK_TYPE</Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
## Microsoft Custom Elements
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top level query: Yes</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

516
windows/client-management/mdm/cmpolicyenterprise-csp.md Normal file
View File

@ -0,0 +1,516 @@
---
title: CMPolicyEnterprise CSP
description: CMPolicyEnterprise CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: A0BE3458-ABED-4F80-B467-F842157B94BF
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CMPolicyEnterprise CSP
The CMPolicyEnterprise configuration service provider is used by the enterprise to define rules that the Connection Manager uses to identify the correct connection for a connection request.
> **Note**  
This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
 
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies
**Policy Ordering**: There is no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phones default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
The following diagram shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
![cmpolicy csp (dm,cp)](images/provisioning-csp-cmpolicyenterprise.png)
<a href="" id="policyname"></a>***policyName***
Defines the name of the policy.
<a href="" id="sid"></a>**SID**
The value of SID depends on the ClientType.
For Universal Windows Platform (UWP) app-based mapping policies, SID is the Package family name without curly brackets {}, not the application.
For non-UWP application-based mapping policies, SID is the application product ID in GUID format. The curly brackets {} around the GUID are required.
For host-based mapping policies, SID must be set to `*`.
<a href="" id="clienttype"></a>**ClientType**
Specifies the mapping policy type.
The following list describes the available mapping policy types:
- Application-based mapping policies are applied to applications. To specify this mapping type, use the value `app`.
- Host-based mapping policies are applied to all types of clients requesting connections to specified host(s). To specify this mapping type, use the value `*`.
<a href="" id="host"></a>**Host**
Specifies the name of a host pattern. The host name is matched to the connection request to select the right policy to use.
The host pattern can have two wild cards, "\*" and "+". The host pattern is not a URL pattern and there is no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com".
<a href="" id="orderedconnections"></a>**OrderedConnections**
Specifies whether the list of connections is in preference order.
A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
<a href="" id="connxxx"></a>**Conn****_XXX_**
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
<a href="" id="connectionid"></a>**ConnectionID**
Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter.
For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you have a connection configured by using the CM\_CellularEntries configuration service provider, the connection name could be the name of the connection. If you have a NAP configured with the NAPID set to “GPRS1”, the connection name could be “GPRS1@WAP”.
For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. The curly brackets {} around the GUID are required. The following connection types are available:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Connection type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GSM</p></td>
<td><p>{A05DC613-E393-40ad-AA89-CCCE04277CD9}</p></td>
</tr>
<tr class="even">
<td><p>CDMA</p></td>
<td><p>{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}</p></td>
</tr>
<tr class="odd">
<td><p>Legacy 3GPP</p></td>
<td><p>{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}</p></td>
</tr>
<tr class="even">
<td><p>LTE</p></td>
<td><p>{2378E547-8312-46A5-905E-5C581E92693B}</p></td>
</tr>
<tr class="odd">
<td><p>Wi-Fi</p></td>
<td><p>{8568B401-858E-4B7B-B3DF-0FD4927F131B}</p></td>
</tr>
<tr class="even">
<td><p>Wi-Fi hotspot</p></td>
<td><p>{072FC7DC-1D93-40D1-9BB0-2114D7D73434}</p></td>
</tr>
</tbody>
</table>
 
For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Network type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GPRS</p></td>
<td><p>{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}</p></td>
</tr>
<tr class="even">
<td><p>1XRTT</p></td>
<td><p>{B1E700AE-A62F-49FF-9BBE-B880C995F27D}</p></td>
</tr>
<tr class="odd">
<td><p>EDGE</p></td>
<td><p>{C347F8EC-7095-423D-B838-7C7A7F38CD03}</p></td>
</tr>
<tr class="even">
<td><p>WCDMA UMTS</p></td>
<td><p>{A72F04C6-9BE6-4151-B5EF-15A53E12C482}</p></td>
</tr>
<tr class="odd">
<td><p>WCDMA FOMA</p></td>
<td><p>{B8326098-F845-42F3-804E-8CC3FF7B50B4}</p></td>
</tr>
<tr class="even">
<td><p>1XEVDO</p></td>
<td><p>{DD42DF39-EBDF-407C-8146-1685416401B2}</p></td>
</tr>
<tr class="odd">
<td><p>1XEVDV</p></td>
<td><p>{61BF1BFD-5218-4CD4-949C-241CA3F326F6}</p></td>
</tr>
<tr class="even">
<td><p>HSPA HSDPA</p></td>
<td><p>{047F7282-BABD-4893-AA77-B8B312657F8C}</p></td>
</tr>
<tr class="odd">
<td><p>HSPA HSUPA</p></td>
<td><p>{1536A1C6-A4AF-423C-8884-6BDDA3656F84}</p></td>
</tr>
<tr class="even">
<td><p>LTE</p></td>
<td><p>{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}</p></td>
</tr>
<tr class="odd">
<td><p>EHRPD</p></td>
<td><p>{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet 10Mbps</p></td>
<td><p>{97D3D1B3-854A-4C32-BD1C-C13069078370}</p></td>
</tr>
<tr class="odd">
<td><p>Ethernet 100Mbps</p></td>
<td><p>{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet Gbps</p></td>
<td><p>{556C1E6B-B8D4-448E-836D-9451BA4CCE75}</p></td>
</tr>
</tbody>
</table>
 
For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Device type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Cellular device</p></td>
<td><p>{F9A53167-4016-4198-9B41-86D9522DC019}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet</p></td>
<td><p>{97844272-00C7-4572-B20A-D8D861C095F2}</p></td>
</tr>
<tr class="odd">
<td><p>Bluetooth</p></td>
<td><p>{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}</p></td>
</tr>
<tr class="even">
<td><p>Virtual</p></td>
<td><p>{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}</p></td>
</tr>
</tbody>
</table>
 
<a href="" id="type"></a>**Type**
Specifies the type of connection being referenced. The following list describes the available connection types:
- `CMST_CONNECTION_NAME` A connection specified by name.
- `CMST_CONNECTION_TYPE` Any connection of a specified type.
- `CMST_CONNECTION_NETWORK_TYPE` Any connection of a specified device type.
- `CMST_CONNECTION_DEVICE_TYPE` Any connection of the specified network type.
## OMA client provisioning examples
Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="GPRSConn1">
<parm name="ConnectionType" value="gprs" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="apn.adatum.com" />
</characteristic>
<parm name="AlwaysOn" value="0" />
<parm name="Enabled" value="1" />
</characteristic>
</characteristic>
<characteristic type="CMPolicyEnterprise">
<characteristic type="Policy1">
<parm name="SID" value="{A05D1234-F393-9385-AA89-CD3E049367D2}" />
<parm name="ClientType" value="app" />
<parm name="Host" value="*.+" />
<parm name="OrderedConnections" value="1" />
<characteristic type="Connections">
<characteristic type="Conn000">
<parm name="Type" value="CMST_CONNECTION_DEVICE_TYPE" />
<parm name="ConnectionId" value="{F9A53167-4016-4198-9B41-86D9522DC019}" />
</characteristic>
<characteristic type="Conn001">
<parm name="Type" value="CMST_CONNECTION_NETWORK_TYPE" />
<parm name="ConnectionId" value="{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}" />
</characteristic>
<characteristic type="Conn002">
<parm name="Type" value="CMST_CONNECTION_NAME" />
<parm name="ConnectionId" value="GPRSConn1" />
</characteristic>
<characteristic type="Conn003">
<parm name="Type" value="CMST_CONNECTION_TYPE" />
<parm name="ConnectionId" value="{072FC7DC-1D93-40d1-9BB0-2114D7D73434}" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="GPRSConn1">
<parm name="ConnectionType" value="gprs" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="apn.adatum.com" />
</characteristic>
<parm name="AlwaysOn" value="0" />
<parm name="Enabled" value="1" />
</characteristic>
</characteristic>
<characteristic type="CMPolicyEnterprise">
<characteristic type="Policy3">
<parm name="SID" value="*" />
<parm name="ClientType" value="*" />
<parm name="Host" value="*.contoso.com" />
<parm name="OrderedConnections" value="1" />
<characteristic type="Connections">
<characteristic type="Conn000">
<parm name="Type" value="CMST_CONNECTION_DEVICE_TYPE" />
<parm name="ConnectionId" value="{F9A53167-4016-4198-9B41-86D9522DC019}" />
</characteristic>
<characteristic type="Conn001">
<parm name="Type" value="CMST_CONNECTION_NETWORK_TYPE" />
<parm name="ConnectionId" value="{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}" />
</characteristic>
<characteristic type="Conn002">
<parm name="Type" value="CMST_CONNECTION_NAME" />
<parm name="ConnectionId" value="GPRSConn1" />
</characteristic>
<characteristic type="Conn003">
<parm name="Type" value="CMST_CONNECTION_TYPE" />
<parm name="ConnectionId" value="{072FC7DC-1D93-40d1-9BB0-2114D7D73434}" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
## OMA DM examples
Adding an application-based mapping policy:
``` syntax
<SyncML>
<SyncBody>
<Atomic>
<CmdID>8000</CmdID>
<Add>
<CmdID>8051</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/SID</LocURI>
</Target>
<Data>{A05D1234-F393-9385-AA89-CD3E049367D2}</Data>
</Item>
</Add>
<Add>
<CmdID>8052</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/ClientType</LocURI>
</Target>
<Data>app</Data>
</Item>
</Add>
<Add>
<CmdID>8053</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/Host</LocURI>
</Target>
<Data>*.+</Data>
</Item>
</Add>
<Add>
<CmdID>8054</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/OrderedConnections</LocURI>
</Target>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>8055</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/Connections/Conn000/ConnectionId</LocURI>
</Target>
<Data>{A05DC613-E393-40AD-AA89-CCCE04277CD9}</Data>
</Item>
</Add>
<Add>
<CmdID>8056</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/Connections/Conn000/Type</LocURI>
</Target>
<Data>CMST_CONNECTION_DEVICE_TYPE</Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
Adding a host-based mapping policy:
``` syntax
<SyncML>
<SyncBody>
<Atomic>
<CmdID>8000</CmdID>
<Add>
<CmdID>8049</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/SID</LocURI>
</Target>
<Data>*</Data>
</Item>
</Add>
<Add>
<CmdID>8050</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/ClientType</LocURI>
</Target>
<Data>*</Data>
</Item>
</Add>
<Add>
<CmdID>8051</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/Host</LocURI>
</Target>
<Data>*.contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>8052</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/OrderedConnections</LocURI>
</Target>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>8053</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/Connections/Conn000/ConnectionId</LocURI>
</Target>
<Data>{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}</Data>
</Item>
</Add>
<Add>
<CmdID>8054</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/Connections/Conn000/Type</LocURI>
</Target>
<Data>CMST_CONNECTION_NETWORK_TYPE</Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
## Microsoft Custom Elements
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top level query: Yes</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

318
windows/client-management/mdm/cmpolicyenterprise-ddf-file.md Normal file
View File

@ -0,0 +1,318 @@
---
title: CMPolicyEnterprise DDF file
description: CMPolicyEnterprise DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 065EF07A-0CF3-4EE5-B620-3464A75B7EED
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CMPolicyEnterprise DDF file
This topic shows the OMA DM device description framework (DDF) for the **CMPolicyEnterprise** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>CMPolicyEnterprise</NodeName>
<!-- NOTE: from here below, CMPolicy and CMPolicyEnterprise should be identical -->
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/CMPolicyEnterprise</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<Description>The name of the policy</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>PolicyName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>SID</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>The value of SID depends on the ClienType</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>SID</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ClientType</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Specifies the mapping policy type</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ClientType</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Host</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Specifies the name of a host pattern</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Host</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>OrderedConnections</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Specifies whether the list of connections is in preference order</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>OrderedConnection</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Connections</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CS />
</CaseSense>
<DFTitle>Connections</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<Description>Connection associated with the policy</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ConnXXX</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ConnectionID</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>A unique identifier for a connection within a group of connections</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ConnectionID</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Type</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>The type of connection being referenced</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Type</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[CMPolicyEnterprise configuration service provider](cmpolicyenterprise-csp.md)
 
 

1060
windows/client-management/mdm/configuration-service-provider-reference.md Normal file
View File

File diff suppressed because it is too large Load Diff

97
windows/client-management/mdm/create-a-custom-configuration-service-provider.md Normal file
View File

@ -0,0 +1,97 @@
---
title: Create a custom configuration service provider
description: Create a custom configuration service provider
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 0cb37f03-5bf2-4451-8276-23f4a1dee33f
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Create a custom configuration service provider
Mobile device OEMs can create custom configuration service providers to manage their devices. A configuration service provider includes an interface for creating, editing, and deleting nodes, and the nodes themselves. Each node contains data for one registry value and can optionally support get, set, and delete operations.
To design a custom configuration service provider, the OEM must perform the following steps:
1. Establish node semantics
2. Shape the configuration service provider's subtree
3. Choose a transactioning scheme for each node
4. Determine node operations
For more information, see [Designing a custom configuration service provider](design-a-custom-windows-csp.md).
To write a custom configuration service provider, the OEM must implement the following interfaces:
- [IConfigServiceProvider2](iconfigserviceprovider2.md) (one per configuration service provider)
- [ICSPNode](icspnode.md) (one per node)
- [ICSPNodeTransactioning](icspnodetransactioning.md) (optional, for internally transactioned nodes only)
- [ICSPValidate](icspvalidate.md) (optional, for UI only)
This code must be compiled into a single .dll file and added to a package by using the instructions found in "Adding content to a package" in [Creating packages](https://msdn.microsoft.com/en-us/library/windows/hardware/dn756642). While writing this code, OEMs can store registry settings and files in the following locations.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td><p><strong>File location</strong></p></td>
<td><p>%DataDrive%\SharedData\OEM\CSP\</p></td>
</tr>
<tr class="even">
<td><p><strong>Registry location</strong></p></td>
<td><p>$(HKLM.SOFTWARE)\OEM\CSP\</p></td>
</tr>
</tbody>
</table>
For examples of how to perform common tasks such as adding a node, replacing a node's value, querying a node's value, or enumerating a node's children, see [Samples for writing a custom configuration service provider](samples-for-writing-a-custom-configuration-service-provider.md).
To register the configuration service provider as a COM object, you must add the following registry setting to your package. This step is required. In the following sample, replace *uniqueCSPguid* with a new, unique CLSID generated for this purpose. Replace *dllName* with the name of the .dll file that contains the code for your configuration service provider.
``` syntax
<RegKeys>
<RegKey KeyName="$(HKCR.CLASSES)\CLSID\{uniqueCSPguid}\InprocServer32">
<RegValue Name="@" Type="REG_SZ" Value="dllName.dll" />
</RegKey>
</RegKeys>
```
To register the configuration service provider with ConfigManager2, you must add the following registry setting to your package. This step is required. In the following sample, replace *dllName* with the name of the configuration service provider (the name of the root node). Replace *uniqueCSPguid* with the same *uniqueCSPguid* value as in the preceding example.
``` syntax
<RegKeys>
<RegKey KeyName="$(HKLM.SOFTWARE)\Microsoft\Provisioning\CSPs\.\Vendor\OEM\{Name}">
<RegValue Name="@" Value="{uniqueCSPguid}" Type="REG_SZ"/>
</RegKey>
</RegKeys>
```
To make the configuration service provider accessible from WAP XML, you must register it with the WAP data processing unit by setting the following registry key in your package. Replace *Name* with the name of the configuration service provider. Leave the GUID value exactly as written here.
``` syntax
<RegKeys>
<RegKey KeyName="$(HKLM.SOFTWARE)\Classes\Name">
<RegValue Name="WAPNodeProcessor" Value="{FB11047A-4051-4d1d-9DCA-C80C5DF98D70}"
Type="REG_SZ"/>
</RegKey>
</RegKeys>
```
 

109
windows/client-management/mdm/customdeviceui-csp.md Normal file
View File

@ -0,0 +1,109 @@
---
title: CustomDeviceUI CSP
description: CustomDeviceUI CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 20ED1867-7B9E-4455-B397-53B8B15C95A3
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CustomDeviceUI CSP
The CustomDeviceUI configuration service provider allows OEMs to implement their custom foreground application, as well as the background tasks to run on an IoT device running IoT Core. Only one foreground application is supported per device. Multiple background tasks are supported.
The following diagram shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
> **Note**  This configuration service provider only applies to Windows 10 IoT Core (IoT Core).
![customdeviceui csp](images/provisioning-csp-customdeviceui.png)
<a href="" id="./Vendor/MSFT/CustomDeviceUI"></a>**./Vendor/MSFT/CustomDeviceUI**
The root node for the CustomDeviceUI configuration service provider. The supported operation is Get.
<a href="" id="StartupAppID"></a>**StartupAppID**
AppID string value is the default appid/AUMID to launch during startup. The supported operations are Get and Replace.
<a href="" id="BackgroundTasksToLaunch"></a>**BackgroundTasksToLaunch**
List of package names of background tasks that need to be launched on device startup. The supported operation is Get.
<a href="" id="BackgroundTasksToLaunch/BackgroundTaskPackageName"></a>**BackgroundTasksToLaunch/****_BackgroundTaskPackageName_**
Package Full Name of the App that needs be launched in the background. This can contain no entry points, a single entry point, or multiple entry points. The supported operations are Add, Delete, Get, and Replace.
## SyncML examples
**Set StartupAppID**
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CustomDeviceUI/StartupAppID</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>DefaultApp_cw5n1h2txyewy!App</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
**Get all background tasks**
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CustomDeviceUI/BackgroundTaskstoLaunch?list=Struct</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
**Add background task**
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CustomDeviceUI/BackgroundTaskstoLaunch/BackgroundService1_1.3.0.1_neutral__8wekyb3d8bbwe</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>0</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
 
 

149
windows/client-management/mdm/customdeviceui-ddf.md Normal file
View File

@ -0,0 +1,149 @@
---
title: CustomDeviceUI DDF
description: CustomDeviceUI DDF
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: E6D6B902-C57C-48A6-9654-CCBA3898455E
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CustomDeviceUI DDF
This topic shows the OMA DM device description framework (DDF) for the **CustomDeviceUI** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>CustomDeviceUI</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/CustomDeviceUI</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>StartupAppID</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>AppID string value is the default appid/AUMID to launch during boot up </Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>BackgroundTasksToLaunch</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>List of package names of background tasks that needs to be launched on boot.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Background Tasks to Launch</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Package Full Name of the App that needs be launched in the background. This can contain no entry points, a single or multiple entry points</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>BackgroundTaskPackageName</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[CustomDeviceUI configuration service provider](customdeviceui-csp.md)
 
 

1151
windows/client-management/mdm/data-structures-windows-store-for-business.md Normal file
View File

File diff suppressed because it is too large Load Diff

328
windows/client-management/mdm/defender-csp.md Normal file
View File

@ -0,0 +1,328 @@
---
title: Defender CSP
description: Defender CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 481AA74F-08B2-4A32-B95D-5A3FD05B335C
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Defender CSP
The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
The following image shows the Windows Defender configuration service provider in tree format
![defender csp diagram](images/provisioning-csp-defender.png)
<a href="" id="detections"></a>**Detections**
An interior node to group all threats detected by Windows Defender.
Supported operation is Get.
<a href="" id="detections-threatid"></a>**Detections/****_ThreatId_**
The ID of a threat that has been detected by Windows Defender.
Supported operation is Get.
<a href="" id="detections-threatid-name"></a>**Detections/*ThreatId*/Name**
The name of the specific threat.
The data type is a string.
Supported operation is Get.
<a href="" id="detections-threatid-url"></a>**Detections/*ThreatId*/URL**
URL link for additional threat information.
The data type is a string.
Supported operation is Get.
<a href="" id="detections-threatid-severity"></a>**Detections/*ThreatId*/Severity**
Threat severity ID.
The data type is a integer.
The following list shows the supported values:
- 0 = Unknown
- 1 = Low
- 2 = Moderate
- 4 = High
- 5 = Severe
Supported operation is Get.
<a href="" id="detections-threatid-category"></a>**Detections/*ThreatId*/Category**
Threat category ID.
The data type is a integer.
The following table describes the supported values:
| Value | Description |
|-------|-----------------------------|
| 0 | Invalid |
| 1 | Adware |
| 2 | Spyware |
| 3 | Password stealer |
| 4 | Trojan downloader |
| 5 | Worm |
| 6 | Backdoor |
| 7 | Remote access Trojan |
| 8 | Trojan |
| 9 | Email flooder |
| 10 | Keylogger |
| 11 | Dialer |
| 12 | Monitoring software |
| 13 | Browser modifier |
| 14 | Cookie |
| 15 | Browser plugin |
| 16 | AOL exploit |
| 17 | Nuker |
| 18 | Security disabler |
| 19 | Joke program |
| 20 | Hostile ActiveX control |
| 21 | Software bundler |
| 22 | Stealth modifier |
| 23 | Settings modifier |
| 24 | Toolbar |
| 25 | Remote control software |
| 26 | Trojan FTP |
| 27 | Potential unwanted software |
| 28 | ICQ exploit |
| 29 | Trojan telnet |
| 30 | Exploit |
| 31 | File sharing program |
| 32 | Malware creation tool |
| 33 | Remote control software |
| 34 | Tool |
| 36 | Trojan denial of service |
| 37 | Trojan dropper |
| 38 | Trojan mass mailer |
| 39 | Trojan monitoring software |
| 40 | Trojan proxy server |
| 42 | Virus |
| 43 | Known |
| 44 | Unknown |
| 45 | SPP |
| 46 | Behavior |
| 47 | Vulnerability |
| 48 | Policy |
 
Supported operation is Get.
<a href="" id="detections-threatid-currentstatus"></a>**Detections/*ThreatId*/CurrentStatus**
Information about the current status of the threat.
The data type is a integer.
The following list shows the supported values:
- 0 = Unknown
- 1 = Detected
- 2 = Cleaned
- 3 = Quarantined
- 4 = Removed
- 5 = Allowed
- 6 = Blocked
- 102 = Clean failed
- 103 = Quarantine failed
- 104 = Remove failed
- 105 = Allow failed
- 106 = Abandoned
- 107 = Block failed
Supported operation is Get.
<a href="" id="detections-threatid-executionstatus"></a>**Detections/*ThreatId*/ExecutionStatus**
Information about the execution status of the threat.
The data type is a integer.
Supported operation is Get.
<a href="" id="detections-threatid-initialdetectiontime"></a>**Detections/*ThreatId*/InitialDetectionTime**
The first time this particular threat was detected.
The data type is a string.
Supported operation is Get.
<a href="" id="detections-threatid-lastthreatstatuschangetime"></a>**Detections/*ThreatId*/LastThreatStatusChangeTime**
The last time this particular threat was changed.
The data type is a string.
Supported operation is Get.
<a href="" id="detections-threatid-numberofdetections"></a>**Detections/*ThreatId*/NumberOfDetections**
Number of times this threat has been detected on a particular client.
The data type is a integer.
Supported operation is Get.
<a href="" id="health"></a>**Health**
An interior node to group information about Windows Defender health status.
Supported operation is Get.
<a href="" id="health-computerstate"></a>**Health/ComputerState**
Provide the current state of the device.
The data type is a integer.
The following list shows the supported values:
- 0 = Clean
- 1 = Pending full scan
- 2 = Pending reboot
- 4 = Pending manual steps
- 8 = Pending offline scan
- 16 = Pending critical failure
Supported operation is Get.
<a href="" id="health-defenderenabled"></a>**Health/DefenderEnabled**
Indicates whether the Windows Defender service is running.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-rtpenabled"></a>**Health/RtpEnabled**
Indicates whether real-time protection is running.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-nisenabled"></a>**Health/NisEnabled**
Indicates whether network protection is running.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-quickscanoverdue"></a>**Health/QuickScanOverdue**
Indicates whether a Windows Defender quick scan is overdue for the device.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-fullscanoverdue"></a>**Health/FullScanOverdue**
Indicates whether a Windows Defender full scan is overdue for the device.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-signatureoutofdate"></a>**Health/SignatureOutOfDate**
Indicates whether the Windows Defender signature is outdated.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-rebootrequired"></a>**Health/RebootRequired**
Indicates whether a device reboot is needed.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-fullscanrequired"></a>**Health/FullScanRequired**
Indicates whether a Windows Defender full scan is required.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-engineversion"></a>**Health/EngineVersion**
Version number of the current Windows Defender engine on the device.
The data type is a string.
Supported operation is Get.
<a href="" id="health-signatureversion"></a>**Health/SignatureVersion**
Version number of the current Windows Defender signatures on the device.
The data type is a string.
Supported operation is Get.
<a href="" id="health-defenderversion"></a>**Health/DefenderVersion**
Version number of Windows Defender on the device.
The data type is a string.
Supported operation is Get.
<a href="" id="health-quickscantime"></a>**Health/QuickScanTime**
Time of the last Windows Defender quick scan of the device.
The data type is a string.
Supported operation is Get.
<a href="" id="health-fullscantime"></a>**Health/FullScanTime**
Time of the last Windows Defender full scan of the device.
The data type is a string.
Supported operation is Get.
<a href="" id="health-quickscansigversion"></a>**Health/QuickScanSigVersion**
Signature version used for the last quick scan of the device.
The data type is a string.
Supported operation is Get.
<a href="" id="health-fullscansigversion"></a>**Health/FullScanSigVersion**
Signature version used for the last full scan of the device.
The data type is a string.
Supported operation is Get.
<a href="" id="scan"></a>**Scan**
Node that can be used to start a Windows Defender scan on a device.
Valid values are:
- 1 - quick scan
- 2 - full scan
Supported operations are Get and Execute.
<a href="" id="updatesignature"></a>**UpdateSignature**
Node that can be used to perform signature updates for Windows Defender.
Supported operations are Get and Execute.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

674
windows/client-management/mdm/defender-ddf.md Normal file
View File

@ -0,0 +1,674 @@
---
title: Defender DDF file
description: Defender DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 39B9E6CF-4857-4199-B3C3-EC740A439F65
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Defender DDF file
This topic shows the OMA DM device description framework (DDF) for the **Defender** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>Defender</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Detections</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ThreatId</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Name</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>URL</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Severity</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Category</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CurrentStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ExecutionStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>InitialDetectionTime</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LastThreatStatusChangeTime</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>NumberOfDetections</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>Health</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ComputerState</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DefenderEnabled</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RtpEnabled</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>NisEnabled</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>QuickScanOverdue</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FullScanOverdue</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SignatureOutOfDate</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RebootRequired</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FullScanRequired</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EngineVersion</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SignatureVersion</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DefenderVersion</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>QuickScanTime</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FullScanTime</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>QuickScanSigVersion</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FullScanSigVersion</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Scan</NodeName>
<DFProperties>
<AccessType>
<Exec />
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>UpdateSignature</NodeName>
<DFProperties>
<AccessType>
<Exec />
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[Defender configuration service provider](defender-csp.md)
 
 

169
windows/client-management/mdm/design-a-custom-windows-csp.md Normal file
View File

@ -0,0 +1,169 @@
---
title: Design a custom configuration service provider
description: Design a custom configuration service provider
MS-HAID:
- 'p\_phDeviceMgmt.designing\_a\_custom\_configuration\_service\_provider'
- 'p\_phDeviceMgmt.design\_a\_custom\_windows\_csp'
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 0fff9516-a71a-4036-a57b-503ef1a81a37
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Design a custom configuration service provider
To design a custom configuration service provider, the OEM must perform the following steps:
1. Establish node semantics
2. Shape the configuration service provider's subtree
3. Choose a transactioning scheme for each node
4. Determine node operations
For more information about the larger process of writing a new configuration service provider, see [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md).
## Establish node semantics
First, determine the nodes you need based on the kind of data to be stored in the registry.
Nodes can represent anything from abstract concepts or collections (such as email accounts or connection settings) to more concrete objects (such as registry keys and values, directories, and files).
### Example
For example, a hypothetical Email configuration service provider might have these nodes:
- Account: The name of the email account (such as "Hotmail")
- Username: The user name or email address ("exampleAccount@hotmail.com")
- Password: The user's password
- Server: The DNS address of the server ("mail-serv1-example.mail.hotmail.com")
The `Account`, `Username`, and `Server` nodes would hold text-based information about the email account, the user's email address, and the server address associated with that account. The `Password` node, however, might hold a binary hash of the user's password.
## Shape the configuration service provider's subtree
After determining what the nodes represent, decide where each node fits in the settings hierarchy.
The root node of a configuration service provider's subtree must be the name of the configuration service provider. In this example, the root node is `Email`.
All of the nodes defined in the previous step must reside under the configuration service provider's root node. Leaf nodes should be used to store data, and interior nodes should be used to group the data into logical collections. Node URIs must be unique. In other words, no two nodes can have both the same parent and the same name.
There are three typical scenarios for grouping and structuring the nodes:
- If all of the data belongs to the same component and no further categorizing or grouping is required, you can build a flat tree in which all values are stored directly under the root node. For examples of this design, see [DevInfo configuration service provider](devinfo-csp.md), [HotSpot configuration service provider](hotspot-csp.md), and [w4 APPLICATION configuration service provider](w4-application-csp.md).
- If the configuration service provider's nodes represent a preexisting set of entities whose structure is well-defined (such as directories and files), the configuration service provider's nodes can simply mirror the existing structure.
- If the data must be grouped by type or component, a more complex structure is required. This is especially true when there can be multiple instances of the dataset on the device, and each set is indexed by an ID, account name, or account type. In this case, you must build a more complex tree structure. For examples, see [ActiveSync configuration service provider](activesync-csp.md), [CertificateStore configuration service provider](certificatestore-csp.md), and [CMPolicy configuration service provider](cmpolicy-csp.md).
### Example
The following image shows an incorrect way to structure the hypothetical `Email` configuration service provider. The interior `Account` nodes group the account data (server name, user name, and user password).
![provisioning\-customcsp\-example1](images/provisioning-customcsp-example1.png)
However, the account nodes in this design are not unique. Even though the nodes are grouped sensibly, the path for each of the leaf nodes is ambiguous. There is no way to disambiguate the two `Username` nodes, for example, or to reliably access the same node by using the same path. This structure will not work. The easiest solution to this problem is usually to replace an interior node (the grouping node) by:
1. Promoting a child node.
2. Using the node value as the name of the new interior node.
The following design conveys the same amount of information as the first design, but all nodes have a unique path, and therefore it will work.
![provisioning\-customcsp\-example2](images/provisioning-customcsp-example2.png)
In this case, the `Server` nodes have been promoted up one level to replace the `Account` nodes, and their values are now used as the node names. For example, you could have two different email accounts on the phone, with server names "www.hotmail.com" and "exchange.microsoft.com", each of which stores a user name and a password.
Note that the process of shaping the configuration service providers subtree influences the choice of transactioning schemes for each node. If possible, peer nodes should not have dependencies on each other. Internode dependencies other than parent/child relationships create mandatory groups of settings, which makes configuration service provider development more difficult.
## Choose a transactioning scheme for each node
For each node, decide whether to use *external transactioning* or *internal transactioning* to manage the transaction phases (rollback persistence, rollback, and commitment) for the node.
External transactioning is the simplest option because it allows ConfigManager2 to automatically handle the node's transactioning.
However, you must use internal transactioning for the following types of nodes:
- A node that supports the **Execute** method.
- A node that contains sensitive information (such as a password) that must not be saved in plain text in the ConfigManager2 rollback document.
- A node that has a dependency on another node that is not a parent. For example, if a parent node has two children that are both required, the configuration service provider could use internal transactioning to defer provisioning the account until both values are set.
You can choose to mix transactioning modes in your configuration service provider, using internal transactioning for some operations but external transactioning for others. For more information about writing an internally transactioned node, see the [ICSPNodeTransactioning](icspnodetransactioning.md) interface.
## Determine node operations
The operations available for each node can vary depending on the purpose of the configuration service provider. The configuration service provider will be easier to use if the operations are consistent. For more information about the supported operations, see the [ICSPNode](icspnode.md) interface.
For externally transactioned nodes, an operation implementation must include the contrary operations shown in the following table to allow rollback of the operation.
For internally transactioned nodes, the practice of implementing the contrary commands for each command is recommended, but not required.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Node operation</th>
<th>Contrary node operation</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>Add</strong></p></td>
<td><p><strong>Clear</strong> and <strong>DeleteChild</strong></p></td>
</tr>
<tr class="even">
<td><p><strong>Copy</strong></p></td>
<td><p>To copy to a new node: <strong>Clear</strong> and <strong>DeleteChild</strong></p>
<p>To copy to an existing node: <strong>Add</strong> and <strong>SetValue</strong></p></td>
</tr>
<tr class="odd">
<td><p><strong>Clear</strong></p></td>
<td><p>To restore the state of the deleted node: <strong>SetValue</strong> and <strong>SetProperty</strong></p></td>
</tr>
<tr class="even">
<td><p><strong>DeleteChild</strong></p></td>
<td><p>To restore the old node: <strong>Add</strong></p></td>
</tr>
<tr class="odd">
<td><p><strong>DeleteProperty</strong></p></td>
<td><p>To restore the deleted property: <strong>SetProperty</strong></p></td>
</tr>
<tr class="even">
<td><p><strong>Execute</strong></p></td>
<td><p>Externally transactioned nodes do not support the <strong>Execute</strong> command.</p></td>
</tr>
<tr class="odd">
<td><p><strong>GetValue</strong></p></td>
<td><p>None</p></td>
</tr>
<tr class="even">
<td><p><strong>Move</strong></p></td>
<td><p>To restore a source node: <strong>Move</strong></p>
<p>To restore an overwritten target node: <strong>Add</strong> and <strong>SetValue</strong></p></td>
</tr>
<tr class="odd">
<td><p><strong>SetValue</strong></p></td>
<td><p>To restore the previous value: <strong>SetValue</strong></p></td>
</tr>
</tbody>
</table>
 
 

197
windows/client-management/mdm/devdetail-csp.md Normal file
View File

@ -0,0 +1,197 @@
---
title: DevDetail CSP
description: DevDetail CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 719bbd2d-508d-439b-b175-0874c7e6c360
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DevDetail CSP
The DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server. These device parameters are not sent from the client to the server automatically, but can be queried by servers using OMA DM commands.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
For the DevDetail CSP, you cannot use the Replace command unless the node already exists.
The following diagram shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol is not supported for this configuration service provider.
![devdetail csp (dm)](images/provisioning-csp-devdetail-dm.png)
<a href="" id="devtyp"></a>**DevTyp**
<p style="margin-left: 20px"><p style="margin-left: 20px">Required. Returns the device model name /SystemProductName as a string.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="oem"></a>**OEM**
<p style="margin-left: 20px">Required. Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="fwv"></a>**FwV**
<p style="margin-left: 20px">Required. Returns the firmware version, as defined in the registry key HKEY\_LOCAL\_MACHINE\\System\\Platform\\DeviceTargetingInfo\\PhoneFirmwareRevision.
<p style="margin-left: 20px">For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\BIOSVersion.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="swv"></a>**SwV**
<p style="margin-left: 20px">Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="hwv"></a>**HwV**
<p style="margin-left: 20px">Required. Returns the hardware version, as defined in the registry key HKEY\_LOCAL\_MACHINE\\System\\Platform\\DeviceTargetingInfo\\PhoneRadioHardwareRevision.
<p style="margin-left: 20px">For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\BIOSVersion.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="lrgobj"></a>**LrgObj**
<p style="margin-left: 20px">Required. Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="uri-maxdepth"></a>**URI/MaxDepth**
<p style="margin-left: 20px">Required. Returns the maximum depth of the management tree that the device supports. The default is zero (0).
<p style="margin-left: 20px">Supported operation is Get.
<p style="margin-left: 20px">This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
<a href="" id="uri-maxtotlen"></a>**URI/MaxTotLen**
<p style="margin-left: 20px">Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0).
<p style="margin-left: 20px">Supported operation is Get.
<p style="margin-left: 20px">This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
<a href="" id="uri-maxseglen"></a>**URI/MaxSegLen**
<p style="margin-left: 20px">Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0).
<p style="margin-left: 20px">Supported operation is Get.
<p style="margin-left: 20px">This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
<a href="" id="ext-microsoft-mobileid"></a>**Ext/Microsoft/MobileID**
<p style="margin-left: 20px">Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support.
<p style="margin-left: 20px">Supported operation is Get.
<p style="margin-left: 20px">The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element.
<a href="" id="ext-microsoft-localtime"></a>**Ext/Microsoft/LocalTime**
<p style="margin-left: 20px">Required. Returns the client local time in ISO 8601 format.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="ext-microsoft-osplatform"></a>**Ext/Microsoft/OSPlatform**
<p style="margin-left: 20px">Required. Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="ext-microsoft-processortype"></a>**Ext/Microsoft/ProcessorType**
<p style="margin-left: 20px">Required. Returns the processor type of the device as documented in SYSTEM\_INFO.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="ext-microsoft-radioswv"></a>**Ext/Microsoft/RadioSwV**
<p style="margin-left: 20px">Required. Returns the radio stack software version number.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="ext-microsoft-resolution"></a>**Ext/Microsoft/Resolution**
<p style="margin-left: 20px">Required. Returns the UI screen resolution of the device (example: "480x800").
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="ext-microsoft-commercializationoperator"></a>**Ext/Microsoft/CommercializationOperator**
<p style="margin-left: 20px">Required. Returns the name of the mobile operator if it exists; otherwise it returns 404..
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="ext-microsoft-processorarchitecture"></a>**Ext/Microsoft/ProcessorArchitecture**
<p style="margin-left: 20px">Required. Returns the processor architecture of the device as "arm" or "x86".
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="ext-microsoft-devicename"></a>**Ext/Microsoft/DeviceName**
<p style="margin-left: 20px">Required. Contains the user-specified device name.
<p style="margin-left: 20px">Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
<p style="margin-left: 20px">Value type is string.
<p style="margin-left: 20px">Supported operations are Get and Replace.
<a href="" id="ext-microsoft-totalstorage"></a>**Ext/Microsoft/TotalStorage**
<p style="margin-left: 20px">Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).
<p style="margin-left: 20px">Supported operation is Get.
> [!NOTE]
> This is only supported in Windows 10 Mobile.
<a href="" id="ext-microsoft-totalram"></a>**Ext/Microsoft/TotalRAM**
<p style="margin-left: 20px">Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory).
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="ext-wlanmacaddress"></a>**Ext/WLANMACAddress**
<p style="margin-left: 20px">The MAC address of the active WLAN connection, as a 12-digit hexadecimal number.
<p style="margin-left: 20px">Supported operation is Get.
> [!NOTE]
> This is not supported in Windows 10 for desktop editions.
<a href="" id="volteservicesetting"></a>**VoLTEServiceSetting**
<p style="margin-left: 20px">Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlanipv4address"></a>**WlanIPv4Address**
<p style="margin-left: 20px">Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlanipv6address"></a>**WlanIPv6Address**
<p style="margin-left: 20px">Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlandnssuffix"></a>**WlanDnsSuffix**
<p style="margin-left: 20px">Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlansubnetmask"></a>**WlanSubnetMask**
<p style="margin-left: 20px">Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="devicehardwaredata"></a>**DeviceHardwareData**
<p style="margin-left: 20px">Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
<p style="margin-left: 20px">Supported operation is Get.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

699
windows/client-management/mdm/devdetail-ddf-file.md Normal file
View File

@ -0,0 +1,699 @@
---
title: DevDetail DDF file
description: DevDetail DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 645fc2b5-2d2c-43b1-9058-26bedbe9f00d
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DevDetail DDF file
This topic shows the OMA DM device description framework (DDF) for the **DevDetail** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC "-//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>DevDetail</NodeName>
<Path>.</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName>urn:oma:mo:oma-dm-devdetail:1.1</DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>URI</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>MaxDepth</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxTotLen</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxSegLen</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>DevTyp</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Device model name, as specified and tracked by the manufacturer</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>OEM</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Name of OEM</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FwV</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Provide the version of OEM ROM region.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SwV</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Returns the Windows Phone OS software version.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>HwV</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Returns the hardware version.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LrgObj</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>
Large object isn't supported. The data for this node is "false".
</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Ext</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Subtree to hold vendor-specific parameters</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Microsoft</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Subtree to hold vendor-specific parameters</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>MobileID</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Indicates the subscriber ID registered with the cellular network. For GSM and UMTS networks, the value returned is the IMSI value; for other networks, SyncML Status code 404 is returned.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RadioSwV</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Version of the software radio stack</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Resolution</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Resolution of the device in the format of WidthxLength (e.g., "400x800").</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CommercializationOperator</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Name of operator with whom the device was commercialized.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ProcessorArchitecture</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Processor architecture of the device, as returned by the GetSystemInfo API.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ProcessorType</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Processor type of the device, as returned by the GetSystemInfo API.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>OSPlatform</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Name of the operating system platform.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LocalTime</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Returns the UTC time formatted per ISO8601. Example: 2003-06-16T18:37:44Z.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DeviceName</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>User-specified device name</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>TotalStorage</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Total available storage in MB from first internal drive on the device (may be less than total physical storage). Available for Windows Mobile only.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>TotalRAM</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Total available memory in MB on the device (may be less than total physical memory).</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>WLANMACAddress</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The MAC address of the active WiFi connection</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>VoLTEServiceSetting</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The VoLTE service setting on or off. Only exposed to Mobile Operator-based OMA-DM servers.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>WlanIPv4Address</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The IPv4 address of the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>WlanIPv6Address</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The IPv6 address of the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>WlanDnsSuffix</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The DNS suffix of the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>WlanSubnetMask</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The subnet mask for the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DeviceHardwareData</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Added in Windows 10 version 1703. Returns a base64 encoded string of the hardware parameters of a device.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[DevDetail configuration service provider](devdetail-csp.md)
 
 

71
windows/client-management/mdm/developersetup-csp.md Normal file
View File

@ -0,0 +1,71 @@
---
title: DeveloperSetup CSP
description: The DeveloperSetup configuration service provider (CSP) is used to configure developer mode on the device. This CSP was added in the next major update of Windows 10.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid:
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeveloperSetup CSP
The DeveloperSetup configuration service provider (CSP) is used to configure Developer Mode on the device and connect to the Windows Device Portal. For more information about the Windows Device Portal, see [Windows Device Portal overview](https://msdn.microsoft.com/en-us/windows/uwp/debug-test-perf/device-portal). This CSP was added in Windows 10, version 1703.
> [!NOTE]
The DeveloperSetup configuration service provider (CSP) is supported only in Windows 10 Holographic Enterprise edition and is for provisioning only.
The following diagram shows the DeveloperSetup configuration service provider in tree format.
![developersetup csp diagram](images/provisioning-csp-developersetup.png)
<a href="" id="developersetup"></a>**DeveloperSetup**
<p style="margin-left: 20px">The root node for the DeveloperSetup configuration service provider.
<a href="" id="enabledevelopermode"></a>**EnableDeveloperMode**
<p style="margin-left: 20px">A Boolean value that is used to enable Developer Mode on the device. The default value is false.
<p style="margin-left: 20px">The only supported operation is Replace.
<a href="" id="deviceportal"></a>**DevicePortal**
<p style="margin-left: 20px">The node for the Windows Device Portal.
<a href="" id="deviceportal-authentication"></a>**DevicePortal/Authentication**
<p style="margin-left: 20px">The node that describes the characteristics of the authentication mechanism that is used for the Windows Device Portal.
<a href="" id="deviceportal-authentication-mode"></a>**DevicePortal/Authentication/Mode**
<p style="margin-left: 20px">An integer value that specifies the mode of authentication that is used when making requests to the Windows Device Portal.
<p style="margin-left: 20px">The only supported operation is Replace.
<a href="" id="deviceportal-authentication-basicauth"></a>**DevicePortal/Authentication/BasicAuth**
<p style="margin-left: 20px">The node that describes the credentials that are used for basic authentication with the Windows Device Portal.
<a href="" id="deviceportal-authentication-username"></a>**DevicePortal/Authentication/BasicAuth/Username**
<p style="margin-left: 20px">A string value that specifies the user name to use when performing basic authentication with the Windows Device Portal.
The user name must contain only ASCII characters and cannot contain a colon (:).
<p style="margin-left: 20px">The only supported operation is Replace.
<a href="" id="deviceportal-authentication-password"></a>**DevicePortal/Authentication/BasicAuth/Password**
<p style="margin-left: 20px">A string value that specifies the password to use when authenticating requests against the Windows Device Portal.
<p style="margin-left: 20px">The only supported operation is Replace.
<a href="" id="deviceportal-connection"></a>**DevicePortal/Connection**
<p style="margin-left: 20px">The node for configuring connections to the Windows Device Portal service.
<a href="" id="deviceportal-connection-httpport"></a>**DevicePortal/Connection/HttpPort**
<p style="margin-left: 20px">An integer value that is used to configure the HTTP port for incoming connections to the Windows Device Portal service.
If authentication is enabled, **HttpPort** will redirect the user to the (required) **HttpsPort**.
<p style="margin-left: 20px">The only supported operation is Replace.
<a href="" id="deviceportal-connection-httpsport"></a>**DevicePortal/Connection/HttpsPort**
<p style="margin-left: 20px">An integer value that is used to configure the HTTPS port for incoming connections to the Windows Device Portal service.
<p style="margin-left: 20px">The only supported operation is Replace.

301
windows/client-management/mdm/developersetup-ddf.md Normal file
View File

@ -0,0 +1,301 @@
---
title: DeveloperSetup DDF file
description: This topic shows the OMA DM device description framework (DDF) for the DeveloperSetup configuration service provider. This CSP was added in Windows 10, version 1703.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid:
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeveloperSetup DDF file
This topic shows the OMA DM device description framework (DDF) for the DeveloperSetup configuration service provider. This CSP was added in Windows 10, version 1703.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>DeveloperSetup</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName>com.microsoft/1.0/MDM/DeveloperSetup</DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>EnableDeveloperMode</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Enables developer mode on the device</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>EnableDeveloperMode</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DevicePortal</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Authentication</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Specifies characteristics of the authentication mechanism used for the Windows Device Portal.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Authentication</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Mode</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<Description>Describes the mode of authentication used when making requests to the Device Portal.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Mode</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>BasicAuth</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Describes credentials used for basic authentication</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>BasicAuth</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Username</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<Description>Describes the username to use when performing basic authentication with the Windows Device Portal</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Username</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Password</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<Description>Describes the password to use when authenticating requests against the Windows Device Portal</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Password</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>Connection</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>Connection</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>HttpPort</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<Description>Configures the HTTP port for incoming connections to the Device Portal Service.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>HttpPort</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>HttpsPort</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<Description>Configures the HTTPS port for incoming connections to the Device Portal Service.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>HttpsPort</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
 
 

972
windows/client-management/mdm/device-update-management.md Normal file
View File

@ -0,0 +1,972 @@
---
title: Device update management
description: In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: C27BAEE7-2890-4FB7-9549-A6EACC790777
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Device update management
In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we are investing heavily in extending the management capabilities available to MDMs. One key feature we are adding is the ability for MDMs to keep devices up-to-date with the latest Microsoft Updates.
In particular, Windows 10 provides additional APIs to enable MDMs to:
- Ensure machines stay up-to-date by configuring Automatic Update policies.
- Test updates on a smaller set of machines before enterprise-wide rollout by configuring which updates are approved for a given device.
- Get compliance status of managed devices so IT can easily understand which machines still need a particular security patch, or how up-to-date is a particular machine.
This topic provides MDM ISVs with the information they need to implement update management in Windows 10.
In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to:
- Configure automatic update policies to ensure devices stay up-to-date.
- Get device compliance information (the list of updates that are needed but not yet installed).
- Specify a per-device update approval list, to ensure devices dont install unapproved updates that have not been tested.
- Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs.
The OMA DM APIs for specifying update approvals and getting compliance status reference updates using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the updates title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](http://go.microsoft.com/fwlink/p/?LinkId=526707).
For more information about the CSPs, see [Update CSP](update-csp.md) and the update policy area of the [Policy CSP](policy-configuration-service-provider.md).
The following diagram provides a conceptual overview of how this works:
![mobile device update management](images/mdm-update-sync.png)
The diagram can be roughly divided into three areas:
- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram).
- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram).
- The device gets updates from Microsoft Update using client/server protocol, but only downloads and installs updates that are both applicable to the device and approved by IT (right portion of the diagram).
## <a href="" id="gettingupdatemetadata"></a>Getting update metadata using the Server-Server sync protocol
The Microsoft Update Catalog is huge and contains many updates that are not needed by MDM-managed devices, including updates for legacy software (for example, updates to servers, down-level desktop operating systems, and legacy apps), and a large number of drivers. We recommend that the MDM use the Server-Server sync protocol to get update metadata for updates reported from the client.
This section describes how this is done. The following diagram shows the server-server sync protocol process.
![mdm server-server sync](images/deviceupdateprocess2.png)
MSDN provides much information about the Server-Server sync protocol. In particular:
- It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](http://go.microsoft.com/fwlink/p/?LinkId=526727). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
- You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although its even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https:<span></span>//fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx.
Some important highlights:
- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720), the **Sample 1: Authorization** code shows how this is done. Even though this is called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](https://msdn.microsoft.com/library/dd304816.aspx) in MSDN. The LocURI to get the applicable updates with their revision Numbers is `<LocURI>./Vendor/MSFT/Update/InstallableUpdates?list=StructData</LocURI>`. Because not all updates are available via S2S sync, make sure you handle SOAP errors.
- For mobile devices, you can either sync metadata for a particular update by calling GetUpdateData, or for a local on-premises solution, you can use WSUS and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
> **Note**  On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, etc). Each time such a change is made that doesnt affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
## <a href="" id="examplesofupdatestructure"></a>Examples of update metadata XML structure and element descriptions
The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). Some of the key elements are described below:
- **UpdateID** The unique identifier for an update
- **RevisionNumber** Revision number for the update in case the update was modified.
- **CreationDate** the date on which this update was created.
- **UpdateType** The type of update which could include the following:
- **Detectoid** if this update identity represents a compatibility logic
- **Category** This could represent either of the following:
- A Product category the update belongs to. For example, Windows, MS office etc.
- The classification the update belongs to. For example, Drivers, security etc.
- **Software** If the update is a software update.
- **Driver** if the update is a driver update.
- **LocalizedProperties** represents the language the update is available in, title and description of the update. It has the following fields:
- **Language** The language code identifier (LCID). For example, en or es.
- **Title** Title of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)”
- **Description** Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you have installed this item, it cannot be removed.”
- **KBArticleID** The KB article number for this update that has details regarding the particular update. For example, <http://support.microsoft.com/kb/2902892>.
## <a href="" id="recommendedflow"></a>Recommended Flow for Using the Server-Server Sync Protocol
This section describes a possible algorithm for using the server-server sync protocol to pull in update metadata to the MDM.
First some background:
- If you have a multi-tenant MDM, the update metadata can be kept in a shared partition, since it is common to all tenants.
- A metadata sync service can then be implemented that periodically calls server-server sync to pull in metadata for the updates IT cares about.
- The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client if those updates are not already known to the device.
The following procedure describes a basic algorithm for a metadata sync service:
- Initialization, composed of the following:
1. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since those are temporary in nature (for example, Defender releases about 4 new definition updates per day, each of which is cumulative).
- Sync periodically (we recommend once every 2 hours - no more than once/hour).
1. Implement the authorization phase of the protocol to get a cookie if you dont already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720).
2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720)), and:
- Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata has not already been pulled into the DB.
- If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one.
- Remove updates from the "needed update IDs to fault in" list once they have been brought in.
This provides an efficient way to pull in the information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time you can pull information so IT can see what updates they are approving, or for compliance reports to see what updates are needed but not yet installed.
## <a href="" id="managingupdates"></a>Managing updates using OMA DM
An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented the [Mobile device management](mobile-device-enrollment.md) topic. This section focuses on how to extend that integration to support update management. The key aspects of update management include the following:
- Configure automatic update policies to ensure devices stay up-to-date.
- Get device compliance information (the list of updates that are needed but not yet installed)
- Specify a per-device update approval list to ensure devices dont install unapproved updates that have not been tested.
- Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs
The following list describes a suggested model for applying updates.
1. Have a "Test Group" and an "All Group".
2. In the Test group, just let all updates flow.
3. In the All Group, set up Quality Update deferral for 7 days and then Quality Updates will be auto approved after the 7 days. Note that Definition Updates are excluded from Quality Update deferrals and will be auto approved when they are availible. This can be done by setting Update/DeferQualityUpdatesPeriodInDays to 7 and just letting updates flow after seven days or pushing Pause in case of issues.
Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md). Please refer to these topics for details on configuring updates.
### Update policies
The enterprise IT can configure auto-update polices via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality is not supported in Windows 10 Mobile and Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
The following diagram shows the Update policies in a tree format.
![update csp diagram](images/update-policies.png)
<a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
> [!NOTE]
> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
<p style="margin-left: 20px">Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
<p style="margin-left: 20px">The default is 17 (5 PM).
<a href="" id="update-activehoursmaxrange"></a>**Update/ActiveHoursMaxRange**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
<p style="margin-left: 20px">Supported values are 8-18.
<p style="margin-left: 20px">The default value is 18 (hours).
<a href="" id="update-activehoursstart"></a>**Update/ActiveHoursStart**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
> [!NOTE]
> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
<p style="margin-left: 20px">Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
<p style="margin-left: 20px">The default value is 8 (8 AM).
<a href="" id="update-allowautoupdate"></a>**Update/AllowAutoUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
<p style="margin-left: 20px">Supported operations are Get and Replace.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 1 Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
- 2 (default) Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.
- 3 Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
- 4 Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
- 5 Turn off automatic updates.
> [!IMPORTANT]
> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
 
<p style="margin-left: 20px">If the policy is not configured, end-users get the default behavior (Auto install and restart).
<a href="" id="update-allowmuupdateservice"></a>**Update/AllowMUUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed or not configured.
- 1 Allowed. Accepts updates received through Microsoft Update.
<a href="" id="update-allownonmicrosoftsignedupdate"></a>**Update/AllowNonMicrosoftSignedUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.
<p style="margin-left: 20px">Supported operations are Get and Replace.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
- 1 Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
<p style="margin-left: 20px">This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
<a href="" id="update-allowupdateservice"></a>**Update/AllowUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store.
<p style="margin-left: 20px">Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store
<p style="margin-left: 20px">Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Update service is not allowed.
- 1 (default) Update service is allowed.
> [!NOTE]
> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
<a href="" id="update-autorestartnotificationschedule"></a>**Update/AutoRestartNotificationSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
<p style="margin-left: 20px">Supported values are 15, 30, 60, 120, and 240 (minutes).
<p style="margin-left: 20px">The default value is 15 (minutes).
<a href="" id="update-autorestartrequirednotificationdismissal"></a>**Update/AutoRestartRequiredNotificationDismissal**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
<p style="margin-left: 20px">The following list shows the supported values:
- 1 (default) Auto Dismissal.
- 2 User Dismissal.
<a href="" id="update-branchreadinesslevel"></a>**Update/BranchReadinessLevel**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
<p style="margin-left: 20px">The following list shows the supported values:
- 16 (default) User gets all applicable upgrades from Current Branch (CB).
- 32 User gets upgrades from Current Branch for Business (CBB).
<a href="" id="update-deferfeatureupdatesperiodindays"></a>**Update/DeferFeatureUpdatesPeriodInDays**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
<p style="margin-left: 20px">Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
<p style="margin-left: 20px">Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
<p style="margin-left: 20px">Supported values are 0-180.
<a href="" id="update-deferqualityupdatesperiodindays"></a>**Update/DeferQualityUpdatesPeriodInDays**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
<p style="margin-left: 20px">Supported values are 0-30.
<a href="" id="update-deferupdateperiod"></a>**Update/DeferUpdatePeriod**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
<p style="margin-left: 20px">Allows IT Admins to specify update delays for up to 4 weeks.
<p style="margin-left: 20px">Supported values are 0-4, which refers to the number of weeks to defer updates.
<p style="margin-left: 20px">In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:
- Update/RequireDeferUpgrade must be set to 1
- System/AllowTelemetry must be set to 1 or higher
<p style="margin-left: 20px">If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
<p style="margin-left: 20px">If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
<table style="margin-left: 20px">
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Update category</th>
<th>Maximum deferral</th>
<th>Deferral increment</th>
<th>Update type/notes</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>OS upgrade</p></td>
<td style="vertical-align:top"><p>8 months</p></td>
<td style="vertical-align:top"><p>1 month</p></td>
<td style="vertical-align:top"><p>Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Update</p></td>
<td style="vertical-align:top"><p>1 month</p></td>
<td style="vertical-align:top"><p>1 week</p></td>
<td style="vertical-align:top"><div class="alert">
<strong>Note</strong>
If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
</div>
<ul>
<li>Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441</li>
<li>Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4</li>
<li>Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F</li>
<li>Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828</li>
<li>Tools - B4832BD8-E735-4761-8DAF-37F882276DAB</li>
<li>Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F</li>
<li>Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</li>
<li>Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</li>
</ul></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Other/cannot defer</p></td>
<td style="vertical-align:top"><p>No deferral</p></td>
<td style="vertical-align:top"><p>No deferral</p></td>
<td style="vertical-align:top"><p>Any update category not specifically enumerated above falls into this category.</p>
<p>Definition Update - E0789628-CE08-4437-BE74-2495B842F43B</p></td>
</tr>
</tbody>
</table>
<a href="" id="update-deferupgradeperiod"></a>**Update/DeferUpgradePeriod**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
>
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
<p style="margin-left: 20px">Allows IT Admins to specify additional upgrade delays for up to 8 months.
<p style="margin-left: 20px">Supported values are 0-8, which refers to the number of months to defer upgrades.
<p style="margin-left: 20px">If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
<p style="margin-left: 20px">If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
<a href="" id="update-engagedrestartdeadline"></a>**Update/EngagedRestartDeadline**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
<p style="margin-left: 20px">Supported values are 2-30 days.
<p style="margin-left: 20px">The default value is 0 days (not specified).
<a href="" id="update-engagedrestartsnoozeschedule"></a>**Update/EngagedRestartSnoozeSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
<p style="margin-left: 20px">Supported values are 1-3 days.
<p style="margin-left: 20px">The default value is 3 days.
<a href="" id="update-engagedrestarttransitionschedule"></a>**Update/EngagedRestartTransitionSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
<p style="margin-left: 20px">Supported values are 2-30 days.
<p style="margin-left: 20px">The default value is 7 days.
<a href="" id="update-excludewudriversinqualityupdate"></a>**Update/ExcludeWUDriversInQualityUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Allow Windows Update drivers.
- 1 Exclude Windows Update drivers.
<a href="" id="update-ignoremoappdownloadlimit"></a>**Update/IgnoreMOAppDownloadLimit**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Do not ignore MO download limit for apps and their updates.
- 1 Ignore MO download limit (allow unlimited downloading) for apps and their updates.
<p style="margin-left: 20px">To validate this policy:
1. Enable the policy ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
- `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f`
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused.
<a href="" id="update-ignoremoupdatedownloadlimit"></a>**Update/IgnoreMOUpdateDownloadLimit**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Do not ignore MO download limit for OS updates.
- 1 Ignore MO download limit (allow unlimited downloading) for OS updates.
<p style="margin-left: 20px">To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused.
<a href="" id="update-pausedeferrals"></a>**Update/PauseDeferrals**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
<p style="margin-left: 20px">Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Deferrals are not paused.
- 1 Deferrals are paused.
<p style="margin-left: 20px">If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
<p style="margin-left: 20px">If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
<a href="" id="update-pausefeatureupdates"></a>**Update/PauseFeatureUpdates**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
<p style="margin-left: 20px">Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Feature Updates are not paused.
- 1 Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
<a href="" id="update-pausequalityupdates"></a>**Update/PauseQualityUpdates**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Quality Updates are not paused.
- 1 Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
<a href="" id="update-requiredeferupgrade"></a>**Update/RequireDeferUpgrade**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
<p style="margin-left: 20px">Allows the IT admin to set a device to CBB train.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) User gets upgrades from Current Branch.
- 1 User gets upgrades from Current Branch for Business.
<a href="" id="update-requireupdateapproval"></a>**Update/RequireUpdateApproval**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<br>
> [!NOTE]
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
<p style="margin-left: 20px">Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
<p style="margin-left: 20px">Supported operations are Get and Replace.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not configured. The device installs all applicable updates.
- 1 The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
<a href="" id="update-scheduleimminentrestartwarning"></a>**Update/ScheduleImminentRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
<p style="margin-left: 20px">Supported values are 15, 30, or 60 (minutes).
<p style="margin-left: 20px">The default value is 15 (minutes).
<a href="" id="update-scheduledinstallday"></a>**Update/ScheduledInstallDay**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Enables the IT admin to schedule the day of the update installation.
<p style="margin-left: 20px">The data type is a string.
<p style="margin-left: 20px">Supported operations are Add, Delete, Get, and Replace.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Every day
- 1 Sunday
- 2 Monday
- 3 Tuesday
- 4 Wednesday
- 5 Thursday
- 6 Friday
- 7 Saturday
<a href="" id="update-scheduledinstalltime"></a>**Update/ScheduledInstallTime**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Enables the IT admin to schedule the time of the update installation.
<p style="margin-left: 20px">The data type is a string.
<p style="margin-left: 20px">Supported operations are Add, Delete, Get, and Replace.
<p style="margin-left: 20px">Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
<p style="margin-left: 20px">The default value is 3.
<a href="" id="update-schedulerestartwarning"></a>**Update/ScheduleRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications.
<p style="margin-left: 20px">Supported values are 2, 4, 8, 12, or 24 (hours).
<p style="margin-left: 20px">The default value is 4 (hours).
<a href="" id="update-setautorestartnotificationdisable"></a>**Update/SetAutoRestartNotificationDisable**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Enabled
- 1 Disabled
<a href="" id="update-updateserviceurl"></a>**Update/UpdateServiceUrl**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
> [!Important]
> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Enterprise.
<p style="margin-left: 20px">Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.
<p style="margin-left: 20px">Supported operations are Get and Replace.
<p style="margin-left: 20px">The following list shows the supported values:
- Not configured. The device checks for updates from Microsoft Update.
- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
Example
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl</LocURI>
</Target>
<Data>http://abcd-srv:8530</Data>
</Item>
</Replace>
```
<a href="" id="update-updateserviceurlalternate"></a>**Update/UpdateServiceUrlAlternate**
> **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
<p style="margin-left: 20px">Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
<p style="margin-left: 20px">This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
<p style="margin-left: 20px">To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
<p style="margin-left: 20px">Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
> [!Note]
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.
> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
### Update management
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following diagram shows the Update CSP in tree format..
![update csp diagram](images/provisioning-csp-update.png)
<a href="" id="update"></a>**Update**
The root node.
Supported operation is Get.
<a href="" id="approvedupdates"></a>**ApprovedUpdates**
Node for update approvals and EULA acceptance on behalf of the end-user.
> **Note** When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (i.e., updates to the virus and spyware definitions on devices) and Security Updates (i.e., product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
> **Note**  For the Windows 10 build, the client may need to reboot after additional updates are added.
 
Supported operations are Get and Add.
<a href="" id="approvedupdates-approved-update-guid"></a>**ApprovedUpdates/****_Approved Update Guid_**
Specifies the update GUID.
To auto-approve a class of updates, you can specify the [Update Classifications](http://go.microsoft.com/fwlink/p/?LinkId=526723) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
Supported operations are Get and Add.
Sample syncml:
```
<LocURI>./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d</LocURI>
```
<a href="" id="approvedupdates-approved-update-guid-approvedtime"></a>**ApprovedUpdates/*Approved Update Guid*/ApprovedTime**
Specifies the time the update gets approved.
Supported operations are Get and Add.
<a href="" id="failedupdates"></a>**FailedUpdates**
Specifies the approved updates that failed to install on a device.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid"></a>**FailedUpdates/****_Failed Update Guid_**
Update identifier field of the UpdateIdentity GUID that represent an update that failed to download or install.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid-hresult"></a>**FailedUpdates/*Failed Update Guid*/HResult**
The update failure error code.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid-status"></a>**FailedUpdates/*Failed Update Guid*/Status**
Specifies the failed update status (for example, download, install).
Supported operation is Get.
<a href="" id="installedupdates"></a>**InstalledUpdates**
The updates that are installed on the device.
Supported operation is Get.
<a href="" id="installedupdates-installed-update-guid"></a>**InstalledUpdates/****_Installed Update Guid_**
UpdateIDs that represent the updates installed on a device.
Supported operation is Get.
<a href="" id="installableupdates"></a>**InstallableUpdates**
The updates that are applicable and not yet installed on the device. This includes updates that are not yet approved.
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid"></a>**InstallableUpdates/****_Installable Update Guid_**
Update identifiers that represent the updates applicable and not installed on a device.
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid-type"></a>**InstallableUpdates/*Installable Update Guid*/Type**
The UpdateClassification value of the update. Valid values are:
- 0 - None
- 1 - Security
- 2 = Critical
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid-revisionnumber"></a>**InstallableUpdates/*Installable Update Guid*/RevisionNumber**
The revision number for the update that must be passed in server to server sync to get the metadata for the update.
Supported operation is Get.
<a href="" id="pendingrebootupdates"></a>**PendingRebootUpdates**
The updates that require a reboot to complete the update session.
Supported operation is Get.
<a href="" id="pendingrebootupdates-pending-reboot-update-guid"></a>**PendingRebootUpdates/****_Pending Reboot Update Guid_**
Update identifiers for the pending reboot state.
Supported operation is Get.
<a href="" id="pendingrebootupdates-pending-reboot-update-guid-installedtime"></a>**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime**
The time the update is installed.
Supported operation is Get.
<a href="" id="lastsuccessfulscantime"></a>**LastSuccessfulScanTime**
The last successful scan time.
Supported operation is Get.
<a href="" id="deferupgrade"></a>**DeferUpgrade**
Upgrades deferred until the next period.
Supported operation is Get.
## <a href="" id="windows10version1607forupdatemanagement"></a> Windows 10, version 1607 for update management
Here are the new policies added in Windows 10, version 1607 in [Policy CSP](policy-configuration-service-provider.md). You should use these policies for the new Windows 10, version 1607 devices.
- Update/ActiveHoursEnd
- Update/ActiveHoursStart
- Update/AllowMUUpdateService
- Update/BranchReadinessLevel
- Update/DeferFeatureUpdatePeriodInDays
- Update/DeferQualityUpdatePeriodInDays
- Update/ExcludeWUDriversInQualityUpdate
- Update/PauseFeatureUpdates
- Update/PauseQualityUpdates
Here's the list of corresponding Group Policy settings in HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>GPO key</th>
<th>Type</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>BranchReadinessLevel</p></td>
<td style="vertical-align:top"><p>REG_DWORD</p></td>
<td style="vertical-align:top"><p>16: systems take Feature Updates on the Current Branch (CB) train</p>
<p>32: systems take Feature Updates on the Current Branch for Business</p>
<p>Other value or absent: receive all applicable updates (CB)</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>DeferQualityUpdates</p></td>
<td style="vertical-align:top"><p>REG_DWORD</p></td>
<td style="vertical-align:top"><p>1: defer quality updates</p>
<p>Other value or absent: dont defer quality updates</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>DeferQualityUpdatesPeriodInDays</p></td>
<td style="vertical-align:top"><p>REG_DWORD</p></td>
<td style="vertical-align:top"><p>0-30: days to defer quality updates</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>PauseQualityUpdates</p></td>
<td style="vertical-align:top"><p>REG_DWORD</p></td>
<td style="vertical-align:top"><p>1: pause quality updates</p>
<p>Other value or absent: dont pause quality updates</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>DeferFeatureUpdates</p></td>
<td style="vertical-align:top"><p>REG_DWORD</p></td>
<td style="vertical-align:top"><p>1: defer feature updates</p>
<p>Other value or absent: dont defer feature updates</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>DeferFeatureUpdatesPeriodInDays</p></td>
<td style="vertical-align:top"><p>REG_DWORD</p></td>
<td style="vertical-align:top"><p>0-180: days to defer feature updates</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>PauseFeatureUpdates</p></td>
<td style="vertical-align:top"><p>REG_DWORD</p></td>
<td style="vertical-align:top"><p>1: pause feature updates</p>
<p>Other value or absent: dont pause feature updates</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>ExcludeWUDriversInQualityUpdate</p></td>
<td style="vertical-align:top"><p>REG_DWORD</p></td>
<td style="vertical-align:top"><p>1: exclude WU drivers</p>
<p>Other value or absent: offer WU drivers</p></td>
</tr>
</tbody>
</table>
 
Here is the list of older policies that are still supported for backward compatibility. You can use these for Windows 10, version 1511 devices.
- Update/RequireDeferUpgrade
- Update/DeferUpgradePeriod
- Update/DeferUpdatePeriod
- Update/PauseDeferrals
For Windows Update for Business, here is the list of supported policies on Windows 10 Mobile Enterprise:
- For Windows 10, version 1511 (Build 10586): Update/RequireDeferUpgrade, Update/DeferUpdatePeriod and Update/PauseDeferrals. To use DeferUpdatePeriod and PauseDeferrals the RequireDeferUpgrade has to be set to 1, which essentially means for a device running 1511, the Windows Update for Business policies can only be set when a device is configured for CBB servicing.
- For Windows 10, version 1607 (Build 14393): Update/BranchReadinessLevel, Update/DeferQualityUpdatesPeriodInDays and Update/PauseQualityUpdates. In 1607 we added support where you can configure Windows Update for Business policies when a device is configured for CB/CBB servicing.
> **Note**  
For policies supported for Windows Update for Business, when you set policies for both Windows 10, version 1607 and Windows 10, version 1511 running on 1607, then 1607 policies will be configured (1607 trumps 1511).
For policies supported for Windows Update for Business, when you set 1511 policies on a device running 1607, the you will get the expected behavior for 1511 policies.
 
## <a href="" id="userexperiencescreenshot"></a>Update management user experience screenshot
The following screenshots of the administrator console shows the list of update titles, approval status, and additional metadata fields.
![mdm update management screenshot](images/deviceupdatescreenshot1.png)
![mdm update managment metadata screenshot](images/deviceupdatescreenshot2.png)
## <a href="" id="syncmlexample"></a>SyncML example
Set auto update to notify and defer.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace xmlns="">
<CmdID>1</CmdID>
<Item>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/AllowUpdateService</LocURI>
</Target>
<Data>0</Data>
</Item>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade </LocURI>
</Target>
<Data>0</Data>
</Item>
<CmdID>3</CmdID>
<Item>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/RequireUpdateApproval </LocURI>
</Target>
<Data>0</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
## Process flow diagram and screenshots of server sync process
The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog.
![mdm device update management screenshot](images/deviceupdatescreenshot3.png)![mdm device update management screenshot](images/deviceupdatescreenshot4.png)![mdm device update management screenshot](images/deviceupdatescreenshot5.png)![mdm device update management screenshot](images/deviceupdatescreenshot6.png)![mdm device update management screenshot](images/deviceupdatescreenshot7.png)![mdm device update management screenshot](images/deviceupdatescreenshot8.png)![mdm device update management screenshot](images/deviceupdatescreenshot9.png)
 

121
windows/client-management/mdm/deviceinstanceservice-csp.md Normal file
View File

@ -0,0 +1,121 @@
---
title: DeviceInstanceService CSP
description: DeviceInstanceService CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: f113b6bb-6ce1-45ad-b725-1b6610721e2d
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeviceInstanceService CSP
The DeviceInstanceService configuration service provider provides some device inventory information that could be useful for an enterprise. Additionally, this CSP supports querying two different phone numbers in the case of dual SIM. The URIs for SIM 1 and SIM 2 are ./Vendor/MSFT/DeviceInstanceService/Identity/Identity1 and ./Vendor/MSFT/DeviceInstanceService/Identity/Identity2 respectively.
> **Note**  
Stop using DeviceInstanceService CSP and use the updated [DeviceStatus CSP](devicestatus-csp.md) instead.
The DeviceInstance CSP is only supported in Windows 10 Mobile.
 
The following diagram shows the DeviceInstanceService configuration service provider in tree format.
![provisioning\-csp\-deviceinstanceservice](images/provisioning-csp-deviceinstanceservice.png)
<a href="" id="roaming"></a>**Roaming**
A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming.
Supported operation is **Get**.
Returns **True** if the device is roaming; otherwise **False**.
<a href="" id="phonenumber"></a>**PhoneNumber**
A string that represents the phone number of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/PhoneNumber is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/PhoneNumber.
Value type is chr.
Supported operation is **Get**.
<a href="" id="imei"></a>**IMEI**
A string the represents the International Mobile Station Equipment Identity (IMEI) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMEI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMEI.
Value type is chr.
Supported operation is **Get**.
<a href="" id="imsi"></a>**IMSI**
A string that represents the first six digits of device IMSI number (Mobile Country/region Code, Mobile Network Code) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMSI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMSI.
Value type is chr.
Supported operation is **Get**.
<a href="" id="identity"></a>**Identity**
The parent node to group per SIM specific information in case of dual SIM mode.
<a href="" id="identity1"></a>**Identity1**
The parent node to group SIM1 specific information in case of dual SIM mode.
<a href="" id="identity2"></a>**Identity2**
The parent node to group SIM2 specific information in case of dual SIM mode.
## Examples
The following sample shows how to query roaming status and phone number on the device.
``` syntax
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DeviceInstanceService/Roaming</LocURI>
</Target>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DeviceInstanceService/PhoneNumber</LocURI>
</Target>
</Item>
</Get>
```
Response from the phone.
``` syntax
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Item>
<Source><LocURI>./Vendor/MSFT/DeviceInstanceService/Roaming</LocURI></Source>
<Meta><Format xmlns="syncml:metinf">bool</Format></Meta>
<Data>false</Data>
</Item>
<Item>
<Source><LocURI>./Vendor/MSFT/DeviceInstanceService/PhoneNumber</LocURI></Source>
<Data>+14254458055</Data>
</Item>
</Results>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

294
windows/client-management/mdm/devicelock-csp.md Normal file
View File

@ -0,0 +1,294 @@
---
title: DeviceLock CSP
description: DeviceLock CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 9a547efb-738e-4677-95d3-5506d350d8ab
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeviceLock CSP
The DeviceLock configuration service provider is used by the enterprise management server to configure device lock related policies. This configuration service provider is supported by an enterprise management server.
> **Note**   The DeviceLock CSP is supported in Windows 10 Mobile for backward compatibility. For Windows 10 devices you should use [Policy CSP](policy-configuration-service-provider.md) for various device lock settings. You can continue to use DeviceLock CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices. The DeviceLock CSP will be deprecated some time in the future.
 
The DevicePasswordEnabled setting must be set to 0 (device password is enabled) for the following settings to take effect:
- AllowSimpleDevicePassword
- MinDevicePasswordLength
- AlphanumericDevicePasswordRequired
- MaxDevicePasswordFailedAttempts
- MaxInactivityTimeDeviceLock
- MinDevicePasswordComplexCharacters
The following image shows the DeviceLock configuration service provider in tree format.
![devicelock csp](images/provisioning-csp-devicelock.png)
<a href="" id="provider"></a>**Provider**
Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get.
<a href="" id="---------------providerid"></a> ***ProviderID***
Optional. The node that contains the configured management server's ProviderID. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one *ProviderID* node. Exchange ActiveSync policies set by Exchange are saved by the Sync client separately. Scope is dynamic. The following operations are supported:
- **Add** - Add the management account to the configuration service provider tree.
- **Delete** - Delete all policies set by this account. This command could be used in enterprise unenrollment for removing policy values set by the enterprise management server.
- **Get** - Return all policies set by the management server.
> **Note**   The value cannot be changed after it is added. The **Replace** command isn't supported.
 
<a href="" id="providerid-devicepasswordenabled"></a>***ProviderID*/DevicePasswordEnabled**
Optional. An integer value that specifies whether device lock is enabled. Possible values are one of the following:
- 0 - Device lock is enabled.
- 1 (default) - Device lock not enabled.
The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-allowsimpledevicepassword"></a>***ProviderID*/AllowSimpleDevicePassword**
Optional. An integer value that specifies whether simple passwords, such as "1111" or "1234", are allowed. Possible values for this node are one of the following:
- 0 - Not allowed.
- 1 (default) - Allowed.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-mindevicepasswordlength"></a>***ProviderID*/MinDevicePasswordLength**
Optional. An integer value that specifies the minimum number of characters required in the PIN. Valid values are 4 to 18 inclusive. The default value is 4. Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-alphanumericdevicepasswordrequired"></a>***ProviderID*/AlphanumericDevicePasswordRequired**
Optional. An integer value that specifies the complexity of the password or PIN allowed.
Valid values are one of the following:
- 0 - Alphanumeric password required
- 1 - Users can choose a numeric or alphanumeric password
- 2 - Users can choose no password, numeric password, or alphanumeric password
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-devicepasswordexpiration"></a>***ProviderID*/DevicePasswordExpiration**
Deprecated in Windows 10.
<a href="" id="providerid-devicepasswordhistory"></a>***ProviderID*/DevicePasswordHistory**
Deprecated in Windows 10.
<a href="" id="providerid-maxdevicepasswordfailedattempts"></a>***ProviderID*/MaxDevicePasswordFailedAttempts**
Optional. An integer value that specifies the number of authentication failures allowed before the device will be wiped. Valid values are 0 to 999. The default value is 0, which indicates the device will not be wiped regardless of the number of authentication failures.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-maxinactivitytimedevicelock"></a>***ProviderID*/MaxInactivityTimeDeviceLock**
Optional. An integer value that specifies the amount of time (in minutes) that the device can remain idle before it is password locked. Valid values are 0 to 999. A value of 0 indicates no time-out is specified. In this case, the maximum screen time-out allowed by the UI applies.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-mindevicepasswordcomplexcharacters"></a>***ProviderID*/MinDevicePasswordComplexCharacters**
Optional. An integer value that specifies the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password. Valid values are 1 to 4 for mobile and 1 to 3 for desktop. The default value is 1.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="devicevalue"></a>**DeviceValue**
Required. A permanent node that groups the policy values applied to the device. The server can query this node to discover what policy values are actually applied to the device. The scope is permanent.
Supported operation is Get.
<a href="" id="devicevalue-devicepasswordenable-----mindevicepasswordcomplexcharacters"></a>**DeviceValue/DevicePasswordEnable, …, MinDevicePasswordComplexCharacters**
Required. This node has the same set of policy nodes as the **ProviderID** node. All nodes under **DeviceValue** are read-only permanent nodes. Each node represents the current device lock policy. For detailed descriptions of each policy, see the ***ProviderID*** subnode descriptions.
## OMA DM examples
Set device lock policies:
``` syntax
<Atomic>
<CmdID>13</CmdID>
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/MaxDevicePasswordFailedAttempts
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>4</Data>
</Item>
</Add>
<Add>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/DevicePasswordEnabled</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Add>
<Add>
<CmdID>4</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/AllowSimpleDevicePassword
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>5</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/MinDevicePasswordLength
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>5</Data>
</Item>
</Add>
<Add>
<CmdID>6</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/AlphanumericDevicePasswordRequired
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>7</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/DevicePasswordExpiration
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>2</Data>
</Item>
</Add>
<Add>
<CmdID>8</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/DevicePasswordHistory
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>50</Data>
</Item>
</Add>
<Add>
<CmdID>9</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/MaxInactivityTimeDeviceLock
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>2</Data>
</Item>
</Add>
<Add>
<CmdID>10</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/MinDevicePasswordComplexCharacters
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>2</Data>
</Item>
</Add>
</Atomic>
```
## Remarks
All node values under the **ProviderID** interior node represent the policy values set by the management server.
- An **Add** or **Replace** command on those nodes returns success in the following cases:
- The value is actually applied to the device.
- The value isn't applied to the device because the device has a more secure value set already.
From a security perspective, the device complies with the policy request that is at least as secure as the one requested.
- A **Get** command on those nodes returns the value the server pushes down to the device.
- If a **Replace** command fails, the node value is set back to the value that was to be replaced.
- If an **Add** command fails, the node is not created.
The value applied to the device can be queried via the nodes under the **DeviceValue** interior node.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

513
windows/client-management/mdm/devicelock-ddf-file.md Normal file
View File

@ -0,0 +1,513 @@
---
title: DeviceLock DDF file
description: DeviceLock DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 46a691b9-6350-4987-bfc7-f8b1eece3ad9
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeviceLock DDF file
This topic shows the OMA DM device description framework (DDF) for the **DeviceLock** configuration service provider. DDF files are used only with OMA DM provisioning XML.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC "-//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree>
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>DeviceLock</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName>com.microsoft/1.0/WindowsPhone/DeviceLock </DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Provider</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>DevicePasswordEnabled</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AllowSimpleDevicePassword</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MinDevicePasswordLength</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>4</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AlphanumericDevicePasswordRequired</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>2</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DevicePasswordExpiration</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DevicePasswordHistory</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxDevicePasswordFailedAttempts</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxInactivityTimeDeviceLock</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MinDevicePasswordComplexCharacters</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>DeviceValue</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>DevicePasswordEnabled</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AllowSimpleDevicePassword</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MinDevicePasswordLength</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AlphanumericDevicePasswordRequired</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DevicePasswordExpiration</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DevicePasswordHistory</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxDevicePasswordFailedAttempts</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxInactivityTimeDeviceLock</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MinDevicePasswordComplexCharacters</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[DeviceLock configuration service provider](devicelock-csp.md)
 
 

45
windows/client-management/mdm/devicemanageability-csp.md Normal file
View File

@ -0,0 +1,45 @@
---
title: DeviceManageability CSP
description: The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: FE563221-D5B5-4EFD-9B60-44FE4066B0D2
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeviceManageability CSP
The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
For performance reasons DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information.
The following diagram shows the DeviceManageability configuration service provider in a tree format.
![devicemanageability csp diagram](images/provisioning-csp-devicemanageability.png)
<a href="" id="--device-vendor-msft-devicemanageability"></a>**./Device/Vendor/MSFT/DeviceManageability**
Root node to group information about runtime MDM configuration capability on the target device.
<a href="" id="capabilities"></a>**Capabilities**
Interior node.
<a href="" id="capabilities-cspversions"></a>**Capabilities/CSPVersions**
Returns the versions of all configuration service providers supported on the device for the MDM service.
 
 

108
windows/client-management/mdm/devicemanageability-ddf.md Normal file
View File

@ -0,0 +1,108 @@
---
title: DeviceManageability DDF
description: This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: D7FA8D51-95ED-40D2-AA84-DCC4BBC393AB
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeviceManageability DDF
This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>DeviceManageability</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/DeviceManageability</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>Capabilities</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>CSPVersions</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Returns the versions of all configuration service providers (CSP) for MDM. </Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
 
 

241
windows/client-management/mdm/devicestatus-csp.md Normal file
View File

@ -0,0 +1,241 @@
---
title: DeviceStatus CSP
description: The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 039B2010-9290-4A6E-B77B-B2469B482360
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeviceStatus CSP
The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
The following image shows the DeviceStatus configuration service provider in tree format.
![devicestatus csp](images/provisioning-csp-devicestatus.png)
<a href="" id="devicestatus"></a>**DeviceStatus**
The root node for the DeviceStatus configuration service provider.
<a href="" id="devicestatus-securebootstate"></a>**DeviceStatus/SecureBootState**
Indicates whether secure boot is enabled. The value is one of the following:
- 0 - Not supported
- 1 - Enabled
- 2 - Disabled
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities"></a>**DeviceStatus/CellularIdentities**
Required. Node for queries on the SIM cards.
> **Note**  Multiple SIMs are supported.
 
<a href="" id="devicestatus-cellularidentities-imei"></a>**DeviceStatus/CellularIdentities/****_IMEI_**
The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device.
<a href="" id="devicestatus-cellularidentities-imei-imsi"></a>**DeviceStatus/CellularIdentities/*IMEI*/IMSI**
The International Mobile Subscriber Identity (IMSI) associated with the IMEI number.
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities-imei-iccid"></a>**DeviceStatus/CellularIdentities/*IMEI*/ICCID**
The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number.
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities-imei-phonenumber"></a>**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber**
Phone number associated with the specific IMEI number.
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities-imei-commercializationoperator"></a>**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator**
The mobile service provider or mobile operator associated with the specific IMEI number.
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities-imei-roamingstatus"></a>**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus**
Indicates whether the SIM card associated with the specific IMEI number is roaming.
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities-imei-roamingcompliance"></a>**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance**
Boolean value that indicates compliance with the enforced enterprise roaming policy.
Supported operation is Get.
<a href="" id="devicestatus-networkidentifiers"></a>**DeviceStatus/NetworkIdentifiers**
Node for queries on network and device properties.
<a href="" id="devicestatus-networkidentifiers-macaddress"></a>**DeviceStatus/NetworkIdentifiers/****_MacAddress_**
MAC address of the wireless network card. A MAC address is present for each network card on the device.
<a href="" id="devicestatus-networkidentifiers-macaddress-ipaddressv4"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4**
IPv4 address of the network card associated with the MAC address.
Supported operation is Get.
<a href="" id="devicestatus-networkidentifiers-macaddress-ipaddressv6"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6**
IPv6 address of the network card associated with the MAC address.
Supported operation is Get.
<a href="" id="devicestatus-networkidentifiers-macaddress-isconnected"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected**
Boolean value that indicates whether the network card associated with the MAC address has an active network connection.
Supported operation is Get.
<a href="" id="devicestatus-networkidentifiers-macaddress-type"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**
Type of network connection. The value is one of the following:
- 2 - WLAN (or other Wireless interface)
- 1 - LAN (or other Wired interface)
- 0 - Unknown
Supported operation is Get.
<a href="" id="devicestatus-compliance"></a>**DeviceStatus/Compliance**
Node for the compliance query.
<a href="" id="devicestatus-compliance-encryptioncompliance"></a>**DeviceStatus/Compliance/EncryptionCompliance**
Boolean value that indicates compliance with the enterprise encryption policy. The value is one of the following:
- 0 - not encrypted
- 1 - encrypted
Supported operation is Get.
<a href="" id="devicestatus-tpm"></a>**DeviceStatus/TPM**
Added in , version 1607. Node for the TPM query.
Supported operation is Get.
<a href="" id="devicestatus-tpm-specificationversion"></a>**DeviceStatus/TPM/SpecificationVersion**
Added in , version 1607. String that specifies the specification version.
Supported operation is Get.
<a href="" id="devicestatus-os"></a>**DeviceStatus/OS**
Added in , version 1607. Node for the OS query.
Supported operation is Get.
<a href="" id="devicestatus-os-edition"></a>**DeviceStatus/OS/Edition**
Added in , version 1607. String that specifies the OS edition.
Supported operation is Get.
<a href="" id="devicestatus-antivirus"></a>**DeviceStatus/Antivirus**
Added in , version 1607. Node for the antivirus query.
Supported operation is Get.
<a href="" id="devicestatus-antivirus-signaturestatus"></a>**DeviceStatus/Antivirus/SignatureStatus**
Added in , version 1607. Integer that specifies the status of the antivirus signature.
Valid values:
- 0 - The security software reports that it is not the most recent version.
- 1 (default) - The security software reports that it is the most recent version.
- 2 Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesnt exist.)
Supported operation is Get.
<a href="" id="devicestatus-antivirus-status"></a>**DeviceStatus/Antivirus/Status**
Added in , version 1607. Integer that specifies the status of the antivirus.
Valid values:
- 0 Antivirus is on and monitoring
- 1 Antivirus is disabled
- 2 Antivirus is not monitoring the device/PC or some options have been turned off
- 3 (default) Antivirus is temporarily not completely monitoring the device/PC
- 4 Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesnt exist.)
Supported operation is Get.
<a href="" id="devicestatus-antispyware"></a>**DeviceStatus/Antispyware**
Added in , version 1607. Node for the antispyware query.
Supported operation is Get.
<a href="" id="devicestatus-antispyware-signaturestatus"></a>**DeviceStatus/Antispyware/SignatureStatus**
Added in , version 1607. Integer that specifies the status of the antispyware signature.
Supported operation is Get.
<a href="" id="devicestatus-antispyware-status"></a>**DeviceStatus/Antispyware/Status**
Added in , version 1607. Integer that specifies the status of the antispyware.
Supported operation is Get.
<a href="" id="devicestatus-firewall"></a>**DeviceStatus/Firewall**
Added in , version 1607. Node for the firewall query.
Supported operation is Get.
<a href="" id="devicestatus-firewall-status"></a>**DeviceStatus/Firewall/Status**
Added in , version 1607. Integer that specifies the status of the firewall.
Valid values:
- 0 Firewall is on and monitoring
- 1 Firewall has been disabled
- 2 Firewall is not monitoring all networks or some rules have been turned off
- 3 (default) Firewall is temporarily not monitoring all networks
- 4 Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesnt exist.)
Supported operation is Get.
<a href="" id="devicestatus-uac"></a>**DeviceStatus/UAC**
Added in , version 1607. Node for the UAC query.
Supported operation is Get.
<a href="" id="devicestatus-uac-status"></a>**DeviceStatus/UAC/Status**
Added in , version 1607. Integer that specifies the status of the UAC.
Supported operation is Get.
<a href="" id="devicestatus-battery"></a>**DeviceStatus/Battery**
Added in , version 1607. Node for the battery query.
Supported operation is Get.
<a href="" id="devicestatus-battery-status"></a>**DeviceStatus/Battery/Status**
Added in , version 1607. Integer that specifies the status of the battery
Supported operation is Get.
<a href="" id="devicestatus-battery-estimatedchargeremaining"></a>**DeviceStatus/Battery/EstimatedChargeRemaining**
Added in , version 1607. Integer that specifies the estimated battery charge remaining. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
Supported operation is Get.
<a href="" id="devicestatus-battery-estimatedruntime"></a>**DeviceStatus/Battery/EstimatedRuntime**
Added in , version 1607. Integer that specifies the estimated runtime of the battery. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
Supported operation is Get.
 
 

778
windows/client-management/mdm/devicestatus-ddf.md Normal file
View File

@ -0,0 +1,778 @@
---
title: DeviceStatus DDF
description: This topic shows the OMA DM device description framework (DDF) for the DeviceStatus configuration service provider. DDF files are used only with OMA DM provisioning XML.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 780DC6B4-48A5-4F74-9F2E-6E0D88902A45
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeviceStatus DDF
This topic shows the OMA DM device description framework (DDF) for the **DeviceStatus** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>DeviceStatus</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.2/MDM/DeviceStatus</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>SecureBootState</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CellularIdentities</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>IMEI</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>IMSI</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ICCID</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PhoneNumber</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CommercializationOperator</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RoamingStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RoamingCompliance</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>NetworkIdentifiers</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>MacAddress</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>IPAddressV4</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IPAddressV6</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsConnected</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Type</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>Compliance</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>EncryptionCompliance</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>TPM</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>SpecificationVersion</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>Not available</DefaultValue>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>OS</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Edition</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>Not available</DefaultValue>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Antivirus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>SignatureStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>1</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>3</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Antispyware</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>SignatureStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>1</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>3</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Firewall</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>3</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>UAC</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Battery</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EstimatedChargeRemaining</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EstimatedRuntime</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
 
 

82
windows/client-management/mdm/devinfo-csp.md Normal file
View File

@ -0,0 +1,82 @@
---
title: DevInfo CSP
description: DevInfo CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: d3eb70db-1ce9-4c72-a13d-651137c1713c
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DevInfo CSP
The DevInfo configuration service provider handles the managed object which provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
 
For the DevInfo CSP, you cannot use the Replace command unless the node already exists.
The following diagram shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol is not supported by this configuration service provider.
![devinfo csp (dm)](images/provisioning-csp-devinfo-dm.png)
<a href="" id="devid"></a>**DevId**
Required. Returns an application-specific global unique device identifier by default.
Supported operation is Get.
The **UseHWDevID** parm of the [DMAcc configuration service provider](dmacc-csp.md) or DMS configuration service provider can be used to modify the return value to instead return a hardware device ID as follows:
- For GSM phones, the IMEI is returned.
- For CDMA phones, the MEID is returned.
- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns an application specific global unique identifier (GUID) irrespective of the value of UseHWDevID.
<a href="" id="man"></a>**Man**
Required. Returns the name of the OEM. For Windows 10 for desktop editions, it returns the SystemManufacturer as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemManufacturer.
If no name is found, this returns "Unknown".
Supported operation is Get.
<a href="" id="mod"></a>**Mod**
Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10 for desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName.
If no name is found, this returns "Unknown".
Supported operation is Get.
<a href="" id="dmv"></a>**DmV**
Required. Returns the current management client revision of the device.
Supported operation is Get.
<a href="" id="lang"></a>**Lang**
Required. Returns the current user interface (UI) language setting of the device as defined by RFC1766.
Supported operation is Get.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

182
windows/client-management/mdm/devinfo-ddf-file.md Normal file
View File

@ -0,0 +1,182 @@
---
title: DevInfo DDF file
description: DevInfo DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: beb07cc6-4133-4c0f-aa05-64db2b4a004f
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DevInfo DDF file
This topic shows the OMA DM device description framework (DDF) for the **DevInfo** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC "-//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>DevInfo</NodeName>
<Path>.</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>The interior node holding all devinfo objects</DFTitle>
<DFType>
<DDFName>urn:oma:mo:oma-dm-devinfo:1.0</DDFName>
</DFType>
<MSFT:RWAccess>1</MSFT:RWAccess>
</DFProperties>
<Node>
<NodeName>DevId</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>An unique device identifier. An application-specific global unique device identifier is provided in this node.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:RWAccess>1</MSFT:RWAccess>
</DFProperties>
</Node>
<Node>
<NodeName>Man</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:RWAccess>1</MSFT:RWAccess>
</DFProperties>
</Node>
<Node>
<NodeName>Mod</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Device model name, as specified and tracked by the mobile operator</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:RWAccess>1</MSFT:RWAccess>
</DFProperties>
</Node>
<Node>
<NodeName>DmV</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The current management client revision of the device.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:RWAccess>1</MSFT:RWAccess>
</DFProperties>
</Node>
<Node>
<NodeName>Lang</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The current language at the device user interface.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:RWAccess>1</MSFT:RWAccess>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[DevInfo configuration service provider](devinfo-csp.md)
 
 

330
windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md Normal file
View File

@ -0,0 +1,330 @@
---
title: Diagnose MDM failures in Windows 10
description: To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop or mobile device. The following sections describe the procedures for collecting MDM logs.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 12D8263B-D839-4B19-9346-31E0CDD0CBF9
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Diagnose MDM failures in Windows 10
To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop or mobile device. The following sections describe the procedures for collecting MDM logs.
## Collect logs directly from Windows 10 PCs
Starting with the Windows 10, version 1511, MDM logs are captured in the Event Viewer in the following location:
- Applications and Services Logs &gt; Microsoft &gt; Windows &gt; DeviceManagement-Enterprise-Diagnostic-Provider
Here's a screenshot:
![mdm event viewer](images/diagnose-mdm-failures1.png)
In this location, the **Admin** channel logs events by default. However, if you need more details logs you can enable **Debug** logs by choosing **Show Analytic and Debug** logs option in **View** menu in Event Viewer.
**To collect Admin logs**
1. Right click on the **Admin** node.
2. Select **Save all events as**.
3. Choose a location and enter a filename.
4. Click **Save**.
5. Choose **Display information for these languages** and then select **English**.
6. Click **Ok**.
For more detailed logging, you can enable **Debug** logs. Right click on the **Debug** node and then click **Enable Log**.
**To collect Debug logs**
1. Right click on the **Debug** node.
2. Select **Save all events as**.
3. Choose a location and enter a filename.
4. Click **Save**.
5. Choose **Display information for these languages** and then select **English**.
6. Click **Ok**.
You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC running the November 2015 update.
## Collect logs remotely from Windows 10 PCs
When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this. The [DiagnosticLog CSP](diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels:
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FAdmin
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug
Example: Enable the Debug channel logging
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug/State</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
Example: Export the Debug logs
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug/Export</LocURI>
</Target>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
```
## Collect logs from Windows 10 Mobile devices
Since there is no Event Viewer in Windows 10 Mobile, you can use the [Field Medic]( http://go.microsoft.com/fwlink/p/?LinkId=718232) app to collect logs.
**To collect logs manually**
1. Download and install the [Field Medic]( http://go.microsoft.com/fwlink/p/?LinkId=718232) app from the store.
2. Open the Field Medic app and then click on **Advanced**.
![field medic screenshot](images/diagnose-mdm-failures2.png)
3. Click on **Choose with ETW provider to use**.
![field medic screenshot](images/diagnose-mdm-failures3.png)
4. Check **Enterprise** and un-check the rest.
![field medic screenshot](images/diagnose-mdm-failures4.png)
5. In the app, click on **Start Logging** and then perform the operation that you want to troubleshoot.
![field medic screenshot](images/diagnose-mdm-failures2.png)
6. When the operation is done, click on **Stop Logging**.
![field medic screenshot](images/diagnose-mdm-failures5.png)
7. Save the logs. They will be stored in the Field Medic log location on the device.
8. You can send the logs via email by attaching the files from **Documents &gt; Field Medic &gt; Reports &gt; ...** folder.
![device documents folder](images/diagnose-mdm-failures6.png)![device folder screenshot](images/diagnose-mdm-failures7.png)![device folder screenshot](images/diagnose-mdm-failures8.png)
The following table contains a list of common providers and their corresponding GUIDs.
| GUID | Provider Name |
|--------------------------------------|--------------------------------------------------------|
| 099614a5-5dd7-4788-8bc9-e29f43db28fc | Microsoft-Windows-LDAP-Client |
| 0f67e49f-fe51-4e9f-b490-6f2948cc6027 | Microsoft-Windows-Kernel-Processor-Power |
| 0ff1c24b-7f05-45c0-abdc-3c8521be4f62 | Microsoft-Windows-Mobile-Broadband-Experience-SmsApi |
| 10e4f0e0-9686-4e62-b2d6-fd010eb976d3 | Microsoft-WindowsPhone-Shell-Events |
| 1e39b4ce-d1e6-46ce-b65b-5ab05d6cc266 | Microsoft-Windows-Networking-RealTimeCommunication |
| 22a7b160-f6e8-46b9-8e0b-a51989c85c66 | Microsoft-WindowsPhone-Bluetooth-AG |
| 2f94e1cc-a8c5-4fe7-a1c3-53d7bda8e73e | Microsoft-WindowsPhone-ConfigManager2 |
| 331c3b3a-2005-44c2-ac5e-77220c37d6b4 | Microsoft-Windows-Kernel-Power |
| 33693e1d-246a-471b-83be-3e75f47a832d | Microsoft-Windows-BTH-BTHUSB |
| 3742be72-99a9-42e6-9fd5-c01a330e3625 | Microsoft-WindowsPhone-PhoneAudio |
| 3b9602ff-e09b-4c6c-bc19-1a3dfa8f2250 | Microsoft-WindowsPhone-OmaDm-Client-Provider |
| 3da494e4-0fe2-415C-b895-fb5265c5c83b | Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider |
| 3f471139-acb7-4a01-b7a7-ff5da4ba2d43 | Microsoft-Windows-AppXDeployment-Server |
| 4180c4f7-e238-5519-338f-ec214f0b49aa | Microsoft.Windows.ResourceManager |
| 4637124c-1d40-4b4d-892f-2aaecf24ff06 | Microsoft-Windows-WinJson |
| 4d13548f-c7b8-4174-bb7a-d7f64bf22d29 | Microsoft-WindowsPhone-LocationServiceProvider |
| 4eacb4d0-263b-4b93-8cd6-778a278e5642 | Microsoft-Windows-GenericRoaming |
| 4f386063-ef17-4629-863c-d71597af743d | Microsoft-WindowsPhone-NotificationService |
| 55404e71-4db9-4deb-a5f5-8f86e46dde56 | Microsoft-Windows-Winsock-NameResolution |
| 59819d0a-adaf-46b2-8d7c-990bc39c7c15 | Microsoft-Windows-Battery |
| 5c103042-7e75-4629-a748-bdfa67607fac | Microsoft-WindowsPhone-Power |
| 69c1c3f1-2b5c-41d0-a14a-c7ca5130640e | Microsoft-WindowsPhone-Cortana |
| 6ad52b32-d609-4be9-ae07-ce8dae937e39 | Microsoft-Windows-RPC |
| 7263516b-6eb0-477b-b64f-17b91d29f239 | Microsoft-WindowsPhone-BatterySense |
| 7dd42a49-5329-4832-8dfd-43d979153a88 | Microsoft-Windows-Kernel-Network |
| ae4bd3be-f36f-45b6-8d21-bdd6fb832853 | Microsoft-Windows-Audio |
| daa6a96b-f3e7-4d4d-a0d6-31a350e6a445 | Microsoft-Windows-WLAN-Driver |
| 4d13548f-c7b8-4174-bb7a-d7f64bf22d29 | Microsoft-WindowsPhone-LocationServiceProvider |
| 74e106b7-00be-4a55-b707-7ab58d6a9e90 | Microsoft-WindowsPhone-Shell-OOBE |
| cbda4dbf-8d5d-4f69-9578-be14aa540d22 | Microsoft-Windows-AppLocker |
| e595f735-b42a-494b-afcd-b68666945cd3 | Microsoft-Windows-Firewall |
| e5fc4a0f-7198-492f-9b0f-88fdcbfded48 | Microsoft-Windows Networking VPN |
| e5c16d49-2464-4382-bb20-97a4b5465db9 | Microsoft-Windows-WiFiNetworkManager |
 
## Collect logs remotely from Windows 10 Mobile devices
For mobile devices already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md).
You can use the DiagnosticLog CSP to enable the ETW provider. The provider ID is 3DA494E4-0FE2-415C-B895-FB5265C5C83B. The following examples show how to enable the ETW provider:
Add a collector node
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/MDM</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
Add the ETW provider to the trace
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/MDM/Providers/3DA494E4-0FE2-415C-B895-FB5265C5C83B</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
Start collector trace logging
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/MDM/TraceControl</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>START</Data>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
```
Stop collector trace logging
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/MDM/TraceControl</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>STOP</Data>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
```
After the logs are collected on the device, you can retrieve the files through the MDM channel using the FileDownload portion of the DiagnosticLog CSP. For details, see [DiagnosticLog CSP](diagnosticlog-csp.md).
## View logs
For best results, ensure that the PC or VM on which you are viewing logs matches the build of the OS from which the logs were collected.
1. Open eventvwr.msc.
2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**.
![event viewer screenshot](images/diagnose-mdm-failures9.png)
3. Navigate to the etl file that you got from the device and then open the file.
4. Click **Yes** when prompted to save it to the new log format.
![prompt](images/diagnose-mdm-failures10.png)
![diagnose mdm failures](images/diagnose-mdm-failures11.png)
5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu.
![event viewer](images/diagnose-mdm-failures12.png)
6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**.
![event filter](images/diagnose-mdm-failures13.png)
7. Now you are ready to start reviewing the logs.
![event viewer](images/diagnose-mdm-failures14.png)
## Collect device state data
Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](diagnosticlog-csp.md), version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files.
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/DeviceStateData/MdmConfiguration</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>SNAP</Data>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
```
 

922
windows/client-management/mdm/diagnosticlog-csp.md Normal file
View File

@ -0,0 +1,922 @@
---
title: DiagnosticLog CSP
description: DiagnosticLog CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: F76E0056-3ACD-48B2-BEA1-1048C96571C3
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DiagnosticLog CSP
The DiagnosticLog configuration service provider (CSP) is used for generating and collecting diagnostic information from the device: Event Tracing for Windows (ETW) log files and current MDM configured state of the device.
DiagnosticLog CSP supports the following type of event tracing:
- Collector-based tracing
- Channel-based tracing
### Collector-based tracing
This type of event tracing simultaneously collects event data from a collection of registered ETW providers.
An event collector is a container of registered ETW providers. Users can add or delete a collector node and register or unregister multiple providers in this collector.
The ***CollectorName*** must be unique within the CSP and must not be a valid event channel name or a provider GUID.
The DiagnosticLog CSP maintains a log file for each collector node and the log file is overwritten if a start command is triggered again on the same collector node.
For each collector node, the user can:
- Start or stop the session with all registered and enabled providers
- Query session status
- Change trace log file mode
- Change trace log file size limit
The configurations log file mode and log file size limit does not take effect while trace session is in progress. These are applied when user stops the current session and then starts it again for this collector.
For each registered provider in this collector, the user can:
- Specify keywords to filter events from this provider
- Change trace level to filter events from this provider
- Enable or disable the provider in the trace session
The changes on **State**, **Keywords** and **TraceLevel** takes effect immediately while trace session is in progress.
> **Note**  Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
 
### Channel-based tracing
The type of event tracing exports event data from a specific channel. This is only supported on the desktop.
Users can add or delete a channel node using the full name, such as Microsoft-Windows-AppModel-Runtime/Admin.
The DiagnosticLog CSP maintains a log file for each channel node and the log file is overwritten if a start command is triggered again on the same channel node.
For each channel node, the user can:
- Export channel event data into a log file (.evtx)
- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel
- Specify an XPath query to filter events while exporting the channel event data
For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md).
Here are the links to the DDFs:
- [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2)
- [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3)
The following diagram shows the DiagnosticLog configuration service provider in tree format.
![diagnosticlog csp diagram](images/provisioning-csp-diagnosticlog.png)
<a href="" id="--vendor-msft-diagnosticlog"></a>**./Vendor/MSFT/DiagnosticLog**
The root node for the DiagnosticLog configuration service provider.
The following steps describe the process for gathering diagnostics using this CSP.
1. Specify a *CollectorName* for the container of the target ETW providers.
2. (Optional) Set logging and log file parameters using the following options:
- **TraceLogFileMode**
- **LogFileSizeLimitMB**
Each of these are described later in this topic.
3. Indicate one or more target ETW providers by supplying its *ProviderGUID* to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
4. (Optional) Set logging and log file parameters using the following options:
- **TraceLevel**
- **Keywords**
Each of these are described later in this topic.
5. Start logging using **TraceControl** EXECUTE command “START”
6. Perform actions on the target device that will generate activity in the log files.
7. Stop logging using **TraceControl** EXECUTE command “STOP”
8. Collect the log file located in the `%temp%` folder using the method described in [Reading a log file](#reading-a-log-file)
<a href="" id="etwlog"></a>**EtwLog**
Node to contain the Error Tracing for Windows log.
The supported operation is Get.
<a href="" id="etwlog-collectors"></a>**EtwLog/Collectors**
Interior node to contain dynamic child interior nodes for active providers.
The supported operation is Get.
<a href="" id="etwlog-collectors-collectorname"></a>**EtwLog/Collectors/****_CollectorName_**
Dynamic nodes to represent active collector configuration.
Supported operations are Add, Delete, and Get.
Add a collector
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
Delete a collector
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="etwlog-collectors-collectorname-tracestatus"></a>**EtwLog/Collectors/*CollectorName*/TraceStatus**
Specifies whether the current logging status is running.
The data type is an integer.
The supported operation is Get.
The following table represents the possible values:
| Value | Description |
|-------|-------------|
| 0 | Stopped |
| 1 | Started |
 
<a href="" id="etwlog-collectors-collectorname-tracelogfilemode"></a>**EtwLog/Collectors/*CollectorName*/TraceLogFileMode**
Specifies the log file logging mode.
The data type is an integer.
Supported operations are Get and Replace.
The following table lists the possible values:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001)</p></td>
<td><p>Writes events to a log file sequentially; stops when the file reaches its maximum size.</p></td>
</tr>
<tr class="even">
<td><p>EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002)</p></td>
<td><p>Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events.</p></td>
</tr>
</tbody>
</table>
 
<a href="" id="etwlog-collectors-collectorname-tracecontrol"></a>**EtwLog/Collectors/*CollectorName*/TraceControl**
Specifies the logging and report action state.
The data type is a string.
The following table lists the possible values:
| Value | Description |
|-------|--------------------|
| START | Start log tracing. |
| STOP | Stop log tracing |
 
The supported operation is Execute.
After you have added a logging task, you can start a trace by running an Execute command on this node with the value START.
To stop the trace, running an execute command on this node with the value STOP.
Start collector trace logging
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>START</Data>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
```
Stop collector trace logging
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>STOP</Data>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="etwlog-collectors-collectorname-logfilesizelimitmb"></a>**EtwLog/Collectors/*CollectorName*/LogFileSizeLimitMB**
Sets the log file size limit, in MB.
The data type is an integer.
Valid values are 1-2048. The default value is 4.
Supported operations are Get and Replace.
<a href="" id="etwlog-collectors-collectorname-providers"></a>**EtwLog/Collectors/*CollectorName*/Providers**
Interior node to contain dynamic child interior nodes for active providers.
The supported operation is Get.
<a href="" id="etwlog-collectors-collectorname-providers-providerguid"></a>**EtwLog/Collectors/*CollectorName*/Providers/****_ProviderGUID_**
Dynamic nodes to represent active provider configuration per provider GUID.
> **Note**  Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
 
Supported operations are Add, Delete, and Get.
Add a provider
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
Delete a provider
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="etwlog-collectors-collectorname-providers-provderguid-tracelevel"></a>**EtwLog/Collectors/*CollectorName*/Providers/*ProvderGUID*/TraceLevel**
Specifies the level of detail included in the trace log.
The data type is an integer.
Supported operations are Get and Replace.
The following table lists the possible values.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>1 TRACE_LEVEL_CRITICAL</p></td>
<td><p>Abnormal exit or termination events</p></td>
</tr>
<tr class="even">
<td><p>2 TRACE_LEVEL_ERROR</p></td>
<td><p>Severe error events</p></td>
</tr>
<tr class="odd">
<td><p>3 TRACE_LEVEL_WARNING</p></td>
<td><p>Warning events such as allocation failures</p></td>
</tr>
<tr class="even">
<td><p>4 TRACE_LEVEL_INFORMATION</p></td>
<td><p>Non-error events, such as entry or exit events</p></td>
</tr>
<tr class="odd">
<td><p>5 TRACE_LEVEL_VERBOSE</p></td>
<td><p>Detailed information</p></td>
</tr>
</tbody>
</table>
 
Set provider **TraceLevel**
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/TraceLevel</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="etwlog-collectors-collectorname-providers-provderguid-keywords"></a>**EtwLog/Collectors/*CollectorName*/Providers/*ProvderGUID*/Keywords**
Specifies the provider keywords to be used as MatchAnyKeyword for this provider.
the data type is a string.
Supported operations are Get and Replace.
Default value is 0 meaning no keyword.
Get provider **Keywords**
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
Set provider **Keywords**
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>4</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>12345678FFFFFFFF</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="etwlog-collectors-collectorname-providers-provderguid-state"></a>**EtwLog/Collectors/*CollectorName*/Providers/*ProvderGUID*/State**
Specifies if this provider is enabled in the trace session.
The data type is a boolean.
Supported operations are Get and Replace. This change will be effective during active trace session.
The following table lists the possible values. Default value is TRUE.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>TRUE</p></td>
<td><p>Provider is enabled in the trace session.</p></td>
</tr>
<tr class="even">
<td><p>FALSE</p></td>
<td><p>Provider is disables in the trace session.</p></td>
</tr>
</tbody>
</table>
 
Set provider **State**
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/State</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>false</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="etwlog-channels"></a>**EtwLog/Channels**
Interior node to contain dynamic child interior nodes for registered channels.
The supported operation is Get.
<a href="" id="etwlog-channels-channelname"></a>**EtwLog/Channels/****_ChannelName_**
Dynamic nodes to represent a registered channel. The node name must be a valid Windows event log channel name, such as "Microsoft-Client-Licensing-Platform%2FAdmin"
Supported operations are Add, Delete, and Get.
Add a channel
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
Delete a channel
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="etwlog-channels-channelname-export"></a>**EtwLog/Channels/*ChannelName*/Export**
Node to trigger the command to export channel event data into the log file.
The supported operation is Execute.
Export channel event data
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Export</LocURI>
</Target>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="etwlog-channels-channelname-filter"></a>**EtwLog/Channels/*ChannelName*/Filter**
Specifies the XPath query string to filter the events while exporting.
The data type is a string.
Supported operations are Get and Replace.
Default value is empty string.
Get channel **Filter**
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Filter</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="etwlog-channels-channelname-state"></a>**EtwLog/Channels/*ChannelName*/State**
Specifies if the Channel is enabled or disabled.
The data type is a boolean.
Supported operations are Get and Replace.
The following table lists the possible values.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>TRUE</p></td>
<td><p>Channel is enabled.</p></td>
</tr>
<tr class="even">
<td><p>FALSE</p></td>
<td><p>Channel is disabled.</p></td>
</tr>
</tbody>
</table>
 
Get channel **State**
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
Set channel **State**
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>false</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="devicestatedata"></a>**DeviceStateData**
Added in version 1.3 of the CSP in Windows 10, version 1607. Node for all types of device state data that are exposed.
<a href="" id="devicestatedata-mdmconfiguration"></a>**DeviceStateData/MdmConfiguration**
Added in version 1.3 of the CSP in Windows 10, version 1607. Triggers the snapping of device management state data with SNAP.
The supported value is Execute.
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/DeviceStateData/MdmConfiguration</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>SNAP</Data>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="filedownload"></a>**FileDownload**
Node to contain child nodes for log file transportation protocols and corresponding actions.
<a href="" id="filedownload-dmchannel"></a>**FileDownload/DMChannel**
Node to contain child nodes using DM channel for transport protocol.
<a href="" id="filedownload-dmchannel-filecontext"></a>**FileDownload/DMChannel/****_FileContext_**
Dynamic interior nodes that represents per log file context.
<a href="" id="filedownload-dmchannel-filecontext-blocksizekb"></a>**FileDownload/DMChannel/*FileContext*/BlockSizeKB**
Sets the log read buffer, in KB.
The data type is an integer.
Valid values are 1-16. The default value is 4.
Supported operations are Get and Replace.
Set **BlockSizeKB**
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
Get **BlockSizeKB**
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="filedownload-dmchannel-filecontext-blockcount"></a>**FileDownload/DMChannel/*FileContext*/BlockCount**
Represents the total read block count for the log file.
The data type is an integer.
The only supported operation is Get.
Get **BlockCount**
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockCount</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="filedownload-dmchannel-filecontext-blockindextoread"></a>**FileDownload/DMChannel/*FileContext*/BlockIndexToRead**
Represents the read block start location.
The data type is an integer.
Supported operations are Get and Replace.
Set **BlockIndexToRead** at 0
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
Set **BlockIndexToRead** at 1
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="filedownload-dmchannel-filecontext-blockdata"></a>**FileDownload/DMChannel/*FileContext*/BlockData**
The data type is Base64.
The only supported operation is Get.
Get **BlockData**
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockData</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="filedownload-dmchannel-filecontext-datablocks"></a>**FileDownload/DMChannel/*FileContext*/DataBlocks**
Node to transfer the selected log file block to the DM server.
<a href="" id="filedownload-dmchannel-filecontext-datablocks-blocknumber"></a>**FileDownload/DMChannel/*FileContext*/DataBlocks/****_BlockNumber_**
The data type is Base64.
The only supported operation is Get.
## Reading a log file
1. Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**
2. Select a log file in the Enumeration result
3. Set **BlockSizeKB** per DM server payload limitation
4. Get **BlockCount** to determine total read request
5. Set **BlockIndexToRead** to initialize read start point
6. Get **BlockData** for upload log block
7. Increase **BlockIndexToRead**
8. Repeat step 5 to 7 until **BlockIndexToRead == (BlockIndexToRead 1)**
 
 

1303
windows/client-management/mdm/diagnosticlog-ddf.md Normal file
View File

File diff suppressed because it is too large Load Diff

160
windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md Normal file
View File

@ -0,0 +1,160 @@
---
title: Disconnecting from the management infrastructure (unenrollment)
description: Disconnecting may be initiated either locally by the user from the phone or remotely by the IT admin using management server.
MS-HAID:
- 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_'
- 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment'
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 33B2B248-631B-451F-B534-5DA095C4C8E8
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Disconnecting from the management infrastructure (unenrollment)
Disconnecting may be initiated either locally by the user from the phone or remotely by the IT admin using management server. User-initiated disconnection is performed much like the initial connection, and it is initiated from the same location in the Setting Control Panel as creating the workplace account. Users may choose to disconnect for any number of reasons, including leaving the company or getting a new device and no longer needing access to their LOB apps on the old device. When an administrator initiates a disconnection, the enrollment client performs the disconnection during its next regular maintenance session. Administrators may choose to disconnect a users device after theyve left the company or because the device is regularly failing to comply with the organizations security settings policy.
During disconnection, the client does the following:
- Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well.
- Removes certificates that are configured by MDM server.
- Ceases enforcement of the settings policies that the management infrastructure has applied.
- Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure.
- Reports successful initiated disassociation to the management infrastructure if the admin initiated the process. Note that in Windows, user-initiated disassociation is reported to the server as a best effort.
## In this topic
- [User-initiated disconnection](#user-initiated-disconnection)
- [Server-initiated disconnection](#server-initiated-disconnection)
- [Unenrollment from Work Access settings page](#unenrollment-from-work-access-settings-page)
- [IT adminrequested disconnection](#it-admin-requested-disconnection)
- [Unenrollment from Azure Active Directory Join](#dataloss)
## User-initiated disconnection
In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will send a notification to the MDM server notifying that the server the account will be removed. This is a best effort action as no retry is built-in to ensure the notification is successfully sent to the device.
This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work.
> **Note**  The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=267526).
 
The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**.
After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DM client starts a DM session, including a user unenroll generic alert in the first package that it sends to the server.
The following sample shows an OMA DM first package that contains a generic alert message. For more information on WP OMA DM support, see the [OMA DM protocol support](oma-dm-protocol-support.md) topic.
```
<SyncML xmlns=&#39;SYNCML:SYNCML1.2&#39;>
<SyncHdr>
<VerDTD>1.2</VerDTD>
<VerProto>DM/1.2</VerProto>
<SessionID>1</SessionID>
<MsgID>1</MsgID>
<Target>
<LocURI>{unique device ID}</LocURI>
</Target>
<Source>
<LocURI>https://www.thephone-company.com/mgmt-server</LocURI>
</Source>
</SyncHdr>
<SyncBody>
<Alert>
<CmdID>2</CmdID>
<Data>1226</Data> <!-- generic alert -->
<Item>
<Meta>
<Type xmlns=”syncml:metinfo”> com.microsoft:mdm.unenrollment.userrequest</Type>
<Format xmlns= “syncml:metinfo”>int</Format>
</Meta>
<Data>1</Data>
</Item>
</Alert>
<!-- other device information -->
<Replace>
<CmdID>2</CmdID>
<Item>
<Source>
<LocURI>./DevInfo/DevID</LocURI>
</Source>
<Data>{unique device ID}</Data>
</Item>
<Item>
...
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
After the previous package is sent, the unenrollment process begins.
## Server-initiated disconnection
When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server will not get a response for the unenrollment, instead a generic alert notification is sent with messageid=1.
``` syntax
<Alert>
<CmdID>4</CmdID>
<Data>1226</Data>
<Item>
<Meta>
<Type xmlns="syncml:metinf">com.microsoft:mdm.unenrollment.userrequest</Type>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Alert>
```
<a href="" id="work-access"></a>
## Unenrollment from Work Access settings page
If the user is enrolled into MDM using an Azure Active Directory (AAD Join or by adding a Microsoft work account), the MDM account will show up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the AAD association to the device.
You can only use the Work Access page to unenroll under the following conditions:
- Enrollment was done using bulk enrollment.
- Enrollment was created using the Work Access page.
<a href="" id="dataloss"></a>
## Unenrollment from Azure Active Directory Join
When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
![aadj unenerollment](images/azure-ad-unenrollment.png)
When a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the AAD association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state.
Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation.
In mobile devices, remote unenrollment for Azure Active Directory Joined devices will fail. To remove corporate content from these devices, we recommend you remotely wipe the device.
<a href="" id="it-admin-requested-disconnection"></a>
## IT adminrequested disconnection
The server requests an enterprise management disconnection request by issuing an Exec OMA DM SyncML XML command to the device using the DMClient configuration service providers Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DM client configuration topic.
When the disconnection is completed, the user is notified that the device has been disconnected from enterprise management.
 

290
windows/client-management/mdm/dmacc-csp.md Normal file
View File

@ -0,0 +1,290 @@
---
title: DMAcc CSP
description: DMAcc CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 43e73d8a-6617-44e7-8459-5c96f4422e63
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DMAcc CSP
The DMAcc configuration service provider allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects. The server can use this configuration service provider to add a new account or to manage an existing account, including an account that was bootstrapped by using the [w7 APPLICATION configuration service provider](w7-application-csp.md)
> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
 
For the DMAcc CSP, you cannot use the Replace command unless the node already exists.
The following diagram shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol is not supported by this configuration service provider.
![dmacc csp (dm)](images/provisioning-csp-dmacc-dm.png)
<a href="" id="dmacc"></a>**DMAcc**
Required. Defines the root node of all OMA DM server accounts that use the OMA DM version 1.2 protocol.
<a href="" id="accountuid"></a>***AccountUID***
Optional. Defines the unique identifier for an OMA DM server account that uses the OMA DM version 1.2 protocol.
For a [w7 APPLICATION configuration service provider](w7-application-csp.md) bootstrapped account, this element is assigned a unique name by the OMA DM Client. The unique name is the hexadecimal representation of the 256-bit SHA-2 hash of the provider ID. The OMA DM server can change this node name in subsequent OMA DM sessions.
<a href="" id="accountuid-appid"></a>***AccountUID*/AppID**
Required. Specifies the application identifier for the OMA DM account.
This value must be set to "w7".
Value type is string. Supported operations are Add, Get, and Replace.
<a href="" id="accountuid-serverid"></a>***AccountUID*/ServerID**
Required. Specifies the OMA DM server's unique identifier for the current OMA DM account. This value is case-sensitive.
Value type is string. Supported operations are Add, Get, and Replace.
<a href="" id="accountuid-name"></a>***AccountUID*/Name**
Optional. Specifies the display name of the application.
Value type is string. Supported operations are Add, Get, and Replace.
<a href="" id="accountuid-prefconref"></a>***AccountUID*/PrefConRef**
Optional. Specifies the preferred connectivity for the OMA DM account.
This element contains either a URI to a NAP management object or a connection GUID used by Connection Manager. If this element is missing, the device uses the default connection that is provided by Connection Manager.
Value type is string. Supported operations are Add, Get, and Replace.
<a href="" id="accountuid-appaddr"></a>***AccountUID*/AppAddr**
Interior node for DM server address.
Required.
<a href="" id="appaddr-objectname"></a>**AppAddr/****_ObjectName_**
Required. Defines the OMA DM server address. Only one server address can be configured.
When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is "1". This is the first DM address encountered in the w7 APPLICATION configuration service provider, other DM accounts are ignored.
<a href="" id="objectname-addr"></a>***ObjectName*/Addr**
Required. Specifies the address of the OMA DM account. The type of address stored is specified by the AddrType element.
Value type is string. Supported operations are Add, Get, and Replace.
<a href="" id="objectname-addrtype"></a>***ObjectName*/AddrType**
Required. Specifies the format and interpretation of the Addr node value. The default is "URI".
The default value of "URI" specifies that the OMA DM account address in **Addr** is a URI address. A value of "IPv4" specifies that the OMA DM account address in **Addr** is an IP address.
Value type is string. Supported operations are Add, Get, and Replace.
<a href="" id="objectname-port"></a>***ObjectName*/Port**
Interior node for port information.
Optional.
<a href="" id="port-objectname"></a>**Port/****_ObjectName_**
Required. Only one port number can be configured.
When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is "1".
<a href="" id="objectname-portnbr"></a>***ObjectName*/PortNbr**
Required. Specifies the port number of the OMA MD account address. This must be a decimal number that fits within the range of a 16-bit unsigned integer.
Value type is string. Supported operations are Add, Get, and Replace.
<a href="" id="accountuid-aauthpref"></a>***AccountUID*/AAuthPref**
Optional. Specifies the application authentication preference.
A value of "BASIC" specifies that the client attempts BASIC authentication. A value of "DIGEST' specifies that the client attempts MD5 authentication.
If this value is empty, the client attempts to use the authentication mechanism negotiated in the previous session if one exists. If the value is empty, no previous session exists, and MD5 credentials exist, clients try MD5 authorization first. If the criteria are not met then the client tries BASIC authorization first.
Value type is string. Supported operations are Add, Get, and Replace.
<a href="" id="accountuid-appauth"></a>***AccountUID*/AppAuth**
Optional. Defines authentication settings.
<a href="" id="appauth-objectname"></a>**AppAuth/****_ObjectName_**
Required. Defines one set of authentication settings.
When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is same name as the AAuthLevel value ("CLRED" or "SRVCRED").
<a href="" id="objectname-aauthlevel"></a>***ObjectName*/AAuthlevel**
Required. Specifies the application authentication level.
A value of "CLCRED" indicates that the credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level. A value of "SRVCRED" indicates that the credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level.
Value type is string. Supported operations are Add and Replace.
<a href="" id="objectname-aauthtype"></a>***ObjectName*/AAuthType**
Required. Specifies the authentication type.
If the AAuthlevel is "CLCRED", the supported values are "BASIC" and "DIGEST". If the AAuthlevel is "SRVCRED", the supported value is "DIGEST".
Value type is string. Supported operations are Add, Get, and Replace.
<a href="" id="objectname-aauthname"></a>***ObjectName*/AAuthName**
Optional. Specifies the authentication name.
Value type is string. Supported operations are Add, Get, and Replace.
<a href="" id="objectname-aauthsecret"></a>***ObjectName*/AAuthSecret**
Optional. Specifies the password or secret used for authentication.
Value type is string. Supported operations are Add and Replace.
<a href="" id="objectname-aauthdata"></a>***ObjectName*/AAuthData**
Optional. Specifies the next nonce used for authentication.
"Nonce" refers to a number used once. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in repeat attacks.
Value type is binary. Supported operations are Add and Replace.
<a href="" id="accountuid-ext"></a>***AccountUID*/Ext**
Required. Defines a set of extended parameters.
This element holds vendor-specific information about the OMA DM account and is created automatically when the OMA DM account is created.
<a href="" id="ext-microsoft"></a>**Ext/Microsoft**
Required. Defines a set of Microsoft-specific extended parameters.
This element is created automatically when the OMA DM account is created.
<a href="" id="microsoft-backcompatretrydisabled"></a>**Microsoft/BackCompatRetryDisabled**
Optional. Specifies whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr on subsequent attempts (not including the first time). The default is "FALSE".
The default value of "FALSE" indicates that backward-compatible retries are enabled. A value of "TRUE" indicates that backward-compatible retries are disabled.
Value type is bool. Supported operations are Add, Get, and Replace.
<a href="" id="microsoft-connretryfreq"></a>**Microsoft/ConnRetryFreq**
Optional. Specifies the number of retries the DM client performs when there are Connection Manager level or wininet level errors.
The default value is 3.
Value type is integer. Supported operations are Add, Get, and Replace.
<a href="" id="microsoft-defaultencoding"></a>**Microsoft/DefaultEncoding**
Optional. Specifies whether the OMA DM client will use WBXML or XML for the DM package when communicating with the server. The default is "application/vnd.syncml.dm+xml".
The default value of "application/vnd.syncml.dm+xml" specifies that XML is used. A value of "application/vnd.syncml.dm+wbxml" specifies that WBXML is used.
Value type is string. Supported operations are Add, Get, and Replace.
<a href="" id="microsoft-initialbackofftime"></a>**Microsoft/InitialBackOffTime**
Optional. Specifies the initial wait time in milliseconds when the OMA DM client retries for the first time. The wait time grows exponentially.
The default value is 16000.
Value type is integer. Supported operations are Add, Get, and Replace.
<a href="" id="microsoft-maxbackofftime"></a>**Microsoft/MaxBackOffTime**
Optional. This node specifies the maximum number of milliseconds to wait before attempting a connection retry.
The default value is 86400000.
Value type is integer. Supported operations are Add, Get, and Replace.
<a href="" id="microsoft-protover"></a>**Microsoft/ProtoVer**
Optional. Specifies the OMA DM Protocol version that the server supports. There is no default value.
Valid values are "1.1" and "1.2". The protocol version set by this element will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this element is not specified when adding a DM server account, the latest DM protocol version that the client supports is used. Windows 10 clients support version 1.2.
Value type is string. Supported operations are Add, Get, and Replace.
<a href="" id="microsoft-role"></a>**Microsoft/Role**
Required. Specifies the role mask that the OMA DM session runs with when it communicates with the server.
If this parameter is not present, the DM session is given the role mask of the OMA DM session that the server created. The following list shows the valid security role masks and their values.
- 4 = SECROLE\_OPERATOR
- 8 = SECROLE\_MANAGER
- 16 = SECROLE\_USER\_AUTH
- 128 = SECROLE\_OPERATOR\_TPS
The acceptable access roles for this node cannot be more than the roles assigned to the DMAcc object.
Value type is integer. Supported operations are Get and Replace.
<a href="" id="microsoft-usehwdevid"></a>**Microsoft/UseHWDevID**
Optional. Specifies whether to use the hardware ID for the ./DevInfo/DevID element in the DM account to identify the device. The default is "FALSE".
The default value of "FALSE" specifies that an application-specific GUID is returned for the ./DevInfo/DevID rather than the hardware device ID.
A value is "TRUE" specifies that the hardware device ID will be provided for the ./DevInfo/DevID element and the Source LocURI for the OMA DM package that is sent to the server. In this case:
- For GSM phones, the IMEI is returned.
- For CDMA phones, the MEID is returned.
- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
Value type is bool. Supported operations are Add, Get, and Replace.
<a href="" id="microsoft-usenonceresync"></a>**Microsoft/UseNonceResync**
Optional. Specifies whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication. The default is "FALSE".
If the authentication fails because the server nonce does not match the server nonce that is stored on the device, then the device can use the backup nonce as the server nonce. For this procedure to be successful, if the device did not authenticate with the preconfigured nonce value, the server must then use the backup nonce when sending the signed server notification message.
The default value of "FALSE" specifies that the client does not try to authenticate the notification with the backup server nonce if authentication to the stored nonce fails. A value of "TRUE" specifies that the client initiates a DM session if the backup server nonce is received after authentication failed.
Value type is bool. Supported operations are Add, Get, and Replace.
<a href="" id="crlcheck"></a>**CRLCheck**
Optional. Allows connection to the DM server to check the Certificate Revocation List (CRL). Set to true to enable SSL revocation.
Value type is bool. Supported operations are Add, Get, and Replace.
<a href="" id="disableonroaming"></a>**DisableOnRoaming**
Optional. Determines whether the OMA DM client should be launched when roaming.
Value type is bool. Supported operations are Add, Get, and Replace.
<a href="" id="sslclientcertsearchcriteria"></a>**SSLCLIENTCERTSEARCHCRITERIA**
Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter is used to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it is ignored.
The string is a concatenation of name/value pairs, each member of the pair delimited by the "&" character. The name and values are delimited by the "=" character. If there are multiple values, each value is delimited by the Unicode character "U+F000". If the name or value contains characters not in the UNRESERVED set (as specified in RFC2396), then those characters are URI-escaped per the RFC.
The supported names are Subject and Stores; wildcard certificate search is not supported.
Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name is not case sensitive.
> **Note**   %EF%80%80 is the UTF8-encoded character U+F000.
 
Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following:
``` syntax
<parm name="SSLCLIENTCERTSEARCHCRITERIA"
value="Subject=CN%3DTester,O%3DMicrosoft&amp;Stores=My%5CUser" />
```
Value type is string. Supported operations are Add, Get, and Replace.
<a href="" id="initiatesession"></a>**InitiateSession**
Optional. When this node is added, a session is started with the MDM server.
Supported operations are Add, and Replace.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

880
windows/client-management/mdm/dmacc-ddf-file.md Normal file
View File

@ -0,0 +1,880 @@
---
title: DMAcc DDF file
description: DMAcc DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 44dc99aa-2a85-498b-8f52-a81863765606
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DMAcc DDF file
This topic shows the OMA DM device description framework (DDF) for the **DMAcc** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC "-//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>DMAcc</NodeName>
<Path>./SyncML</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This interior node is a common parent to all OMA DM server account nodes that use OMA DM 1.2 protocol.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName>urn:oma:mo:oma-dm-dmacc:1.1</DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>*</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Delete />
<Replace />
</AccessType>
<Description>This interior node acts as a placeholder for zero or more OMA DM server accounts. If this OMA DM server account is bootstrapped using the w7 APPLICATION, the name of this node is generated from the 256-bit version of SHA-2 hash of the w7 PROVIDER-ID parm.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>AppID</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<Description>The only supported value is w7.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Application ID for DM Account MO</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ServerID</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Server Identifier</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Name</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Displayable name for the Management Server</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PrefConRef</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<Description>The only supported values include the NAPID of a bootstrapped NAP management object or a connection GUID used by connection manager. If this node is missing, the device will use the default connection provided by connection manager.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Reference to preferred connectivity</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AppAddr</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
</AccessType>
<Description>Only the first address provisioned is used.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>A collection of references to DM server address</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>*</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>The "name" node for AppAddr object</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Addr</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Management Server Address</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AddrType</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Management Server Address Type</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Port</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>A collection of all Port objects</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>*</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>The "name" node for a Port object</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>PortNbr</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Port</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>AAuthPref</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<Description>Supported values: BASIC, DIGEST</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Application Authentication Type preference</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AppAuth</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>A collection of all references to multiple Application Authentication objects</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>*</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<OneOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>The "name" node for multiple Application Authentication objects</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>AAuthLevel</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Application Authentication level</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AAuthType</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<Description>If AAuthLevel is CLCRED, the supported types include BASIC and DIGEST. If AAuthLevel is SRVCRED, the only supported type is DIGEST.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Application Authentication Type</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AAuthName</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Application Authentication Name</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AAuthSecret</NodeName>
<DFProperties>
<AccessType>
<Add />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Application Authentication Secret</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AAuthData</NodeName>
<DFProperties>
<AccessType>
<Add />
<Replace />
</AccessType>
<DFFormat>
<bin />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Application Authentication Data</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>Ext</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Vendor specific information</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Microsoft</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>The collection of Microsoft specific settings</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Role</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>If this node is unspecified, its default value is the access role of the session that created the server account. The value for this node must be a subset of the roles used in creating this server account.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>The security role mask that the DM session should run with</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ProtoVer</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<Description>This node value corresponds to what the client would put in the VerDTD element of an OMA-DM package. No default value is assumed. The only valid value for this node is 1.1 or 1.2.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>The OMA-DM protocol version that the client should use in communicating with the server</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DefaultEncoding</NodeName>
<DFProperties>
<AccessType>
<Add />
<Replace />
<Get />
</AccessType>
<Description>This node specifies the encoding that the OMA-DM client will use to encode its first package. Valid values include "application/vnd.syncml.dm+xml" (for XML) and "application/vnd.syncml.dm+wbxml" (for WBXML). If this node is left unspecified, the OMA-DM client defaults to "application/vnd.syncml.dm+xml".</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>UseHwDevID</NodeName>
<DFProperties>
<AccessType>
<Add />
<Replace />
<Get />
</AccessType>
<Description>A value of true indicates that, during an OMA-DM session with this server, the value of the ./DevInfo/DevId node is the hardware ID of device (e.g, IMEI for a GSM device, ESN for a CDMA Device, hashed UUID for a non-radio device). The default value of false indicates that the value of ./DevInfo/DevId node is a hash of the UUID of the device.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ConnRetryFreq</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<Description>This node specifies how many times DM client will retry a connection to the server if the connection fails. The default value is 3 retries.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>InitialBackOffTime</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<Description>This node specifies the initial amount of time (in milliseconds) that the DM client waits before attempting a connection retry. After the initial wait, the wait time grows exponentially. The default value is 16000 milliseconds.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxBackOffTime</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<Description>This node specifies the maximum number of milliseconds to wait before attempting a connection retry. The default value is 86400000.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>BackCompatRetryDisabled</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<Description>This node specifies whether to disable the ability of the DM client to communicate with a down-level server.
Possible Values:
false (default) -- Compatibility with down-level servers is enabled
true -- Compatibility with down-level servers is disabled</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>UseNonceResync</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<Description>This node specifies whether the DM client can use the nonce resynchronization protocol when authentication of a server notification fails. If nonce resynchronization is disabled and authentication of the server notification fails, the notification is dropped.
Possible Values:
false (default) : Nonce resynchronization is disabled.
true : Nonce resynchronization is enabled.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CRLCheck</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>CRLCheck</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DisableOnRoaming</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>DisableOnRoaming</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SSLCLIENTCERTSEARCHCRITERIA</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>SSLCLIENTCERTSEARCHCRITERIA</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>InitiateSession</NodeName>
<DFProperties>
<AccessType>
<Add />
<Replace />
</AccessType>
<Description>When this node is added, a session is started with the MDM server.</Description>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle></DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[DMAcc configuration service provider](dmacc-csp.md)
 
 

680
windows/client-management/mdm/dmclient-csp.md Normal file
View File

@ -0,0 +1,680 @@
---
title: DMClient CSP
description: The DMClient configuration service provider is used to specify additional enterprise-specific mobile device management configuration settings for identifying the device in the enterprise domain, security mitigation for certificate renewal, and server-triggered enterprise unenrollment.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: a5cf35d9-ced0-4087-a247-225f102f2544
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DMClient CSP
The DMClient configuration service provider is used to specify additional enterprise-specific mobile device management configuration settings for identifying the device in the enterprise domain, security mitigation for certificate renewal, and server-triggered enterprise unenrollment.
The following diagram shows the DMClient configuration service provider in tree format.
![dmclient csp](images/provisioning-csp-dmclient-th2.png)
<a href="" id="dmclient"></a>**DMClient**
Root node for the CSP.
<a href="" id="updatemanagementserviceaddress"></a>**UpdateManagementServiceAddress**
For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semi-colon delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
<a href="" id="hwdevid"></a>**HWDevID**
Added in Windows 10, version 1703. Returns the hardware device ID.
Supported operation is Get. Value type is string.
<a href="" id="provider"></a>**Provider**
Required. The root node for all settings that belong to a single management server. Scope is permanent.
Supported operation is Get.
<a href="" id="provider-providerid"></a>**Provider/****_ProviderID_**
Optional. This node contains the URI-encoded value of the bootstrapped device management accounts Provider ID. Scope is dynamic. As a best practice, use text that doesnt require XML/URI escaping.
Supported operations are Get and Add.
<a href="" id="provider-providerid-entdevicename"></a>**Provider/*ProviderID*/EntDeviceName**
Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient configuration service provider. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
<a href="" id="provider-providerid-entdmid"></a>**Provider/*ProviderID*/EntDMID**
Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient configuration service provider. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
> **Note**   Although hardware device IDs are guaranteed to be unique, there is a concern that this is not ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION configuration service providers **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
This node is required and must be set by the server before the client certificate renewal is triggered.
 
<a href="" id="provider-providerid-exchangeid"></a>**Provider/*ProviderID*/ExchangeID**
Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. This is useful for the enterprise management server to correlate and merge records for a device that is managed by exchange and natively managed by a dedicated management server.
> **Note**  In some cases for the desktop, this node will return "not found" until the user sets up their email.
 
Supported operation is Get.
The following is a Get command example.
``` syntax
<Get>
<CmdID>12</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DMClient/Provider/<ProviderID>/ExchangeID</LocURI>
</Target>
</Item>
</Get>
```
<a href="" id="provider-providerid-publisherdeviceid"></a>**Provider/*ProviderID*/PublisherDeviceID**
(Only for Windows 10 Mobile.) Optional. The PublisherDeviceID is a device-unique ID created based on the enterprise Publisher ID. Publisher ID is created based on the enterprise application token and enterprise ID via ./Vendor/MSFT/EnterpriseAppManagement/&lt;enterprise id&gt;/EnrollmentToken. It is to ensure that for one enterprise, each device has a unique ID associated with it. For the same device, if it has multiple enterprises applications, each enterprise is identified differently.
Supported operation is Get.
<a href="" id="provider-providerid-signedentdmid"></a>**Provider/*ProviderID*/SignedEntDMID**
Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the mobile device management server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally.
Supported operation is Get.
<a href="" id="provider-providerid-certrenewtimestamp"></a>**Provider/*ProviderID*/CertRenewTimeStamp**
Optional. The time in OMA DM standard time format. This node is designed to reduce the risk of the certificate being used by another device. The device records the time that the new certificate was created.
Supported operation is Get.
<a href="" id="provider-providerid-managementserviceaddress"></a>**Provider/*ProviderID*/ManagementServiceAddress**
Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server to allow the server to load balance to another server in situations where too many devices are connected to the server.
> **Note**  When the ManagementServerAddressList value is set, the device ignores the value in ManagementServiceAddress.
 
The DMClient configuration service provider will save the address to the same location as the w7 and DMS configuration service providers to ensure the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped via the [w7 APPLICATION configuration service provider](w7-application-csp.md).
Starting in Windows 10, version 1511, this node supports multiple server addresses in the format &lt;URL1&gt;&lt;URL2&gt;&lt;URL3&gt;. If there is only a single URL, then the &lt;&gt; are not required. This is supported for both desktop and mobile devices.
During a DM session, the device will use the first address on the list and then keep going down the list until a successful connection is achieved. The DM client should cache the successfully connected server URL for the next session.
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-upn"></a>**Provider/*ProviderID*/UPN**
Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This is useful in scenarios where the user email address changes in the identity system, or in the scenario where the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
Supported operations are Get and Replace.
<a href="" id="provider-providerid-helpphonenumber"></a>**Provider/*ProviderID*/HelpPhoneNumber**
Optional. The character string that allows the user experience to include a customized help phone number that the end user will be able to view and use if they need help or support.
Supported operations are Get, Replace, and Delete.
<a href="" id="provider-providerid-helpwebsite"></a>**Provider/*ProviderID*/HelpWebsite**
Optional. The character string that allows the user experience to include a customized help website that the end user will be able to view and use if they need help or support.
Supported operations are Get, Replace, and Delete
<a href="" id="provider-providerid-helpemailaddress"></a>**Provider/*ProviderID*/HelpEmailAddress**
Optional. The character string that allows the user experience to include a customized help email address that the end user will be able to view and use if they need help or support.
Supported operations are Get, Replace, and Delete.
<a href="" id="provider-providerid-requiremessagesigning"></a>**Provider/*ProviderID*/RequireMessageSigning**
Boolean type. Primarly used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included as part of the authenticated attributes in the signature.
Default value is false, where the device management client does not include authentication information in the management session HTTP header. Optionally set to true, where the client authentication information is provided in the management session HTTP header.
When enabled, the MDM server should validate the signature and the timestamp using the device identify certificate enrolled as part of MS-MDE, ensure the certificate and time are valid, and verify that the signature is trusted by the MDM server.
Supported operations are Get, Replace, and Delete.
<a href="" id="provider-providerid-syncapplicationversion"></a>**Provider/*ProviderID*/SyncApplicationVersion**
Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there is a client behavior change between 1.0 and 2.0.
> **Note**  
This node is only supported in Windows 10 and later.
Once you set the value to 2.0, it will not go back to 1.0.
 
Supported operations are Get, Replace, and Delete.
<a href="" id="provider-providerid-maxsyncapplicationversion"></a>**Provider/*ProviderID*/MaxSyncApplicationVersion**
Optional. Used by the client to indicate the latest DM session version that it supports. Default is 2.0.
When you query this node, a Windows 10 client will return 2.0 and a Windows 8.1 client will return an error code (404 node not found).
Supported operation is Get.
<a href="" id="provider-providerid-aadresourceid"></a>**Provider/*ProviderID*/AADResourceID**
Optional. This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory enrollments (AAD Join or Add Accounts). The token is audience specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
For more information about Azure Active Directory enrollment, see [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
<a href="" id="provider-providerid-enableomadmkeepalivemessage"></a>**Provider/*ProviderID*/EnableOmaDmKeepAliveMessage**
Added in Windows 10, version 1511. A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow.
When the server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending.
To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information.
Here is an example of DM message sent by the device when it is in pending state:
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncHdr>
<VerDTD>1.2</VerDTD>
<VerProto>DM/1.2</VerProto>
<SessionID>10</SessionID>
<MsgID>2</MsgID>
<Target>
<LocURI>https://www.contoso.com/mgmt-server</LocURI>
</Target>
<Source>
<LocURI>{unique device ID}</LocURI>
</Source>
</SyncHdr>
<SyncBody>
<Alert>
<CmdID>2</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns="syncml:metinf">Reversed-Domain-Name:com.microsoft.mdm.requestpending</Type>
</Meta>
<Data>1</Data>
</Item>
</Alert>
</SyncBody>
</SyncML>
```
<a href="" id="provider-providerid-aaddeviceid"></a>**Provider/*ProviderID*/AADDeviceID**
Added in Windows 10, version 1607. Returns the device ID for the Azure Active Directory device registration.
Supported operation is Get.
<a href="" id="provider-providerid-enrollmenttype"></a>**Provider/*ProviderID*/EnrollmentType**
Added in Windows 10, version 1607. Returns the enrollment type (Device or Full).
Supported operation is Get.
<a href="" id="provider-providerid-hwdevid"></a>**Provider/*ProviderID*/HWDevID**
Added in Windows 10, version 1607. Returns the hardware device ID.
Supported operation is Get.
<a href="" id="provider-providerid-commercialid"></a>**Provider/*ProviderID*/CommercialID**
Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this telemetry data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization..
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="provider-providerid-managementserveraddresslist"></a>**Provider/*ProviderID*/ManagementServerAddressList**
Added in Windows 10, version 1607. The list of management server URLs in the format &lt;URL1&gt;&lt;URL2&gt;&lt;URL3&gt;, etc... If there is only one, the angle brackets (&lt;&gt;) are not required.
> **Note**  The &lt; and &gt; should be escaped.
 
``` syntax
<Replace>
<CmdID>101</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DMClient/Provider/<ProviderID>/ManagementServerAddressList
</LocURI>
</Target>
<Data>&lt;https://server1&gt;&lt;https:// server2&gt; </Data>
</Item>
</Replace>
```
If ManagementServerAddressList node is set, the device will only use the server URL configured in this node and ignore the ManagementServiceAddress value.
When the server is not responding after a specified number of retries, the device tries to use the next server URL in the list until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first on in the list.
Supported operations are Get and Replace. Value type is string.
<a href="" id="provider-providerid-managementservertoupgradeto"></a>**Provider/*ProviderID*/ManagementServerToUpgradeTo**
Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM server to upgrade to for a Mobile Application Management (MAM) enrolled device.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-poll"></a>**Provider/*ProviderID*/Poll**
Optional. Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
Supported operations are Get and Add.
There are three schedules managed under the Poll node which enable a rich polling schedule experience to provide greater flexibility in managing the way in which devices poll the management server. There are a variety of ways in which polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules in order to restore the polling schedules back to a valid configuration.
If there is no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window.
**Valid poll schedule: sigmoid polling schedule with infinite schedule (Recommended).**
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Schedule name</th>
<th>Schedule set by the server</th>
<th>Actual value queried on device</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>IntervalForFirstSetOfRetries</p></td>
<td><p>15</p></td>
<td><p>15</p></td>
</tr>
<tr class="even">
<td><p>NumberOfFirstRetries</p></td>
<td><p>5</p></td>
<td><p>5</p></td>
</tr>
<tr class="odd">
<td><p>IntervalForSecondSetOfRetries</p></td>
<td><p>60</p></td>
<td><p>60</p></td>
</tr>
<tr class="even">
<td><p>NumberOfSecondRetries</p></td>
<td><p>10</p></td>
<td><p>10</p></td>
</tr>
<tr class="odd">
<td><p>IntervalForRemainingScheduledRetries</p></td>
<td><p>1440</p></td>
<td><p>1440</p></td>
</tr>
<tr class="even">
<td><p>NumberOfRemainingScheduledRetries</p></td>
<td><p>0</p></td>
<td><p>0</p></td>
</tr>
</tbody>
</table>
 
**Valid poll schedule: initial enrollment only \[no infinite schedule\]**
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Schedule name</th>
<th>Schedule set by the server</th>
<th>Actual value queried on device</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>IntervalForFirstSetOfRetries</p></td>
<td><p>15</p></td>
<td><p>15</p></td>
</tr>
<tr class="even">
<td><p>NumberOfFirstRetries</p></td>
<td><p>5</p></td>
<td><p>5</p></td>
</tr>
<tr class="odd">
<td><p>IntervalForSecondSetOfRetries</p></td>
<td><p>60</p></td>
<td><p>60</p></td>
</tr>
<tr class="even">
<td><p>NumberOfSecondRetries</p></td>
<td><p>10</p></td>
<td><p>10</p></td>
</tr>
<tr class="odd">
<td><p>IntervalForRemainingScheduledRetries</p></td>
<td><p>0</p></td>
<td><p>0</p></td>
</tr>
<tr class="even">
<td><p>NumberOfRemainingScheduledRetries</p></td>
<td><p>0</p></td>
<td><p>0</p></td>
</tr>
</tbody>
</table>
 
**Invalid poll schedule: disable all poll schedules**
> **Note**   Disabling poll schedules results in UNDEFINED behavior and enrollment may fail if poll schedules are all set to zero.
 
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Schedule name</th>
<th>Schedule set by the server</th>
<th>Actual value queried on device</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>IntervalForFirstSetOfRetries</p></td>
<td><p>0</p></td>
<td><p>0</p></td>
</tr>
<tr class="even">
<td><p>NumberOfFirstRetries</p></td>
<td><p>0</p></td>
<td><p>0</p></td>
</tr>
<tr class="odd">
<td><p>IntervalForSecondSetOfRetries</p></td>
<td><p>0</p></td>
<td><p>0</p></td>
</tr>
<tr class="even">
<td><p>NumberOfSecondRetries</p></td>
<td><p>0</p></td>
<td><p>0</p></td>
</tr>
<tr class="odd">
<td><p>IntervalForRemainingScheduledRetries</p></td>
<td><p>0</p></td>
<td><p>0</p></td>
</tr>
<tr class="even">
<td><p>NumberOfRemainingScheduledRetries</p></td>
<td><p>0</p></td>
<td><p>0</p></td>
</tr>
</tbody>
</table>
 
**Invalid poll schedule: two infinite schedules**
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Schedule name</th>
<th>Schedule set by server</th>
<th>Actual schedule set on device</th>
<th>Actual experience</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>IntervalForFirstSetOfRetries</p></td>
<td><p>15</p></td>
<td><p>15</p></td>
<td><p>Device polls</p></td>
</tr>
<tr class="even">
<td><p>NumberOfFirstRetries</p></td>
<td><p>5</p></td>
<td><p>5</p></td>
<td><p>Device polls</p></td>
</tr>
<tr class="odd">
<td><p>IntervalForSecondSetOfRetries</p></td>
<td><p>1440</p></td>
<td><p>1440</p></td>
<td><p>Device polls the server once in 24 hours</p></td>
</tr>
<tr class="even">
<td><p>NumberOfSecondRetries</p></td>
<td><p>0</p></td>
<td><p>0</p></td>
<td><p>Device polls the server once in 24 hours</p></td>
</tr>
<tr class="odd">
<td><p>IntervalForRemainingScheduledRetries</p></td>
<td><p>1440</p></td>
<td><p>0</p></td>
<td><p>Third schedule is disabled</p></td>
</tr>
<tr class="even">
<td><p>NumberOfRemainingScheduledRetries</p></td>
<td><p>0</p></td>
<td><p>0</p></td>
<td><p>Third schedule is disabled</p></td>
</tr>
</tbody>
</table>
 
If the device was previously enrolled in MDM with polling schedule configured via registry key values directly, the MDM server that supports using DMClient CSP to update polling schedule must first send an Add command to add a **./Vendor/MSFT/DMClient/Enrollment/&lt;ProviderID&gt;/Poll** node before it sends a Get/Replace command to query or update polling parameters via DMClient CSP
When using the DMClient CSP to configure polling schedule parameters, the server must not set all six polling parameters to 0, or set all 3 number of retry nodes to 0 because it will cause a configuration failure.
<a href="" id="provider-providerid-poll-intervalforfirstsetofretries"></a>**Provider/*ProviderID*/Poll/IntervalForFirstSetOfRetries**
Optional. The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /&lt;ProviderID&gt;/Poll/NumberOfFirstRetries. If IntervalForFirstSetOfRetries is not set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.
Supported operations are Get and Replace.
The IntervalForFirstSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxRetryInterval path that previously utilized the Registry CSP.
<a href="" id="provider-providerid-poll-numberoffirstretries"></a>**Provider/*ProviderID*/Poll/NumberOfFirstRetries**
Optional. The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value is not 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule will not set in this case. The default value is 10.
Supported operations are Get and Replace.
The NumberOfFirstRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxNumRetries path that previously utilized the Registry CSP.
The first set of retries is intended to give the management server some buffered time to be ready to send policies and settings configuration to the device. The total time for first set of retries should not be more than a few hours. The server should not set NumberOfFirstRetries to be 0. RemainingScheduledRetries is used for the long run device polling schedule.
<a href="" id="provider-providerid-poll-intervalforsecondsetofretries"></a>**Provider/*ProviderID*/Poll/IntervalForSecondSetOfRetries**
Optional. The waiting time (in minutes) for the second set of retries as specified by the number of retries in /&lt;ProviderID&gt;/Poll/NumberOfSecondRetries. Default value is 0. If this value is set to zero, then this schedule is disabled.
Supported operations are Get and Replace.
The IntervalForSecondSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\RetryInterval path that previously utilized the Registry CSP.
<a href="" id="provider-providerid-poll-numberofsecondretries"></a>**Provider/*ProviderID*/Poll/NumberOfSecondRetries**
Optional. The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries is not set to 0 AND the first set of retries is not set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled.
Supported operations are Get and Replace.
The NumberOfSecondRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\NumRetries path that previously utilized the Registry CSP.
The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule.
<a href="" id="provider-providerid-poll-intervalforremainingscheduledretries"></a>**Provider/*ProviderID*/Poll/IntervalForRemainingScheduledRetries**
Optional. The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /&lt;ProviderID&gt;/Poll/NumberOfRemainingScheduledRetries. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.
Supported operations are Get and Replace.
The IntervalForRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2RetryInterval path that previously utilized the Registry CSP.
<a href="" id="provider-providerid-poll-numberofremainingscheduledretries"></a>**Provider/*ProviderID*/Poll/NumberOfRemainingScheduledRetries**
Optional. The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries are not set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled.
Supported operations are Get and Replace.
The NumberOfRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2NumRetries path that previously utilized the Registry CSP.
The RemainingScheduledRetries is used for the long run device polling schedule. IntervalForRemainingScheduledRetries should not be set smaller than 1440 minutes (24 hours) in Windows Phone 8.1 device. Windows Phone 8.1 supports MDM server push.
<a href="" id="provider-providerid-poll-pollonlogin"></a>**Provider/*ProviderID*/Poll/PollOnLogin**
Optional. Boolean value that allows the IT admin to require the device to start a management session on any user login, regardless of if the user has preciously logged in. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-poll-alluserspollonfirstlogin"></a>**Provider/*ProviderID*/Poll/AllUsersPollOnFirstLogin**
Optional. Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system; subsequent logins will not trigger an MDM session. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-push"></a>**Provider/*ProviderID*/Push**
Optional. Not configurable during WAP Provisioining XML. If removed, DM sessions triggered by Push will no longer be supported.
Supported operations are Add and Delete.
<a href="" id="provider-providerid-push-pfn"></a>**Provider/*ProviderID*/Push/PFN**
Required. A string provided by the Windows 10 ecosystem for a Mobile Device Management solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it is managing.
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-push-channeluri"></a>**Provider/*ProviderID*/Push/ChannelURI**
Required. A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null.
Supported operation is Get.
<a href="" id="provider-providerid-push-status"></a>**Provider/*ProviderID*/Push/Status**
Required. An integer that maps to a known error state or condition on the system.
Supported operation is Get.
The status error mapping is listed below.
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Status</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>0</p></td>
<td><p>Success</p></td>
</tr>
<tr class="even">
<td><p>1</p></td>
<td><p>Failure: invalid PFN</p></td>
</tr>
<tr class="odd">
<td><p>2</p></td>
<td><p>Failure: invalid or expired device authentication with MSA</p></td>
</tr>
<tr class="even">
<td><p>3</p></td>
<td><p>Failure: WNS client registration failed due to an invalid or revoked PFN</p></td>
</tr>
<tr class="odd">
<td><p>4</p></td>
<td><p>Failure: no Channel URI assigned</p></td>
</tr>
<tr class="even">
<td><p>5</p></td>
<td><p>Failure: Channel URI has expired</p></td>
</tr>
<tr class="odd">
<td><p>6</p></td>
<td><p>Failure: Channel URI failed to be revoked</p></td>
</tr>
<tr class="even">
<td><p>7</p></td>
<td><p>Failure: push notification received, but unable to establish an OMA-DM session due to power or connectivity limitations.</p></td>
</tr>
<tr class="odd">
<td><p>8</p></td>
<td><p>Unknown error</p></td>
</tr>
</tbody>
</table>
 
<a href="" id="provider-providerid-customenrollmentcompletepage"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage**
Optional. Added in Windows 10, version 1703.
Supported operations are Add, Delete, and Get.
<a href="" id="provider-providerid-customenrollmentcompletepage-title"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/Title**
Optional. Added in Windows 10, version 1703. Specifies the title of the all done page that appears at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-customenrollmentcompletepage-bodytext"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/BodyText**
Optional. Added in Windows 10, version 1703. Specifies the body text of the all done page that appears at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-customenrollmentcompletepage-hyperlinkhref"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkHref**
Optional. Added in Windows 10, version 1703. Specifies the URL that is shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-customenrollmentcompletepage-hyperlinktext"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkText**
Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that is shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
<a href="" id="provider-providerid-unenroll"></a>**Provider/*ProviderID*/Unenroll**
Required. The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `<Data>` tag under the `<Item>` element. Scope is permanent.
Supported operations are Get and Exec.
Note that &lt;LocURI&gt;./Vendor/MSFT/DMClient/Unenroll&lt;/LocURI&gt; is supported for backward compatibility.
The following SyncML shows how to remotely unenroll the device. Note that this command should be inserted in the general DM packages sent from the server to the device.
``` syntax
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DMClient/Provider/<ProviderID>/Unenroll</LocURI>
</Target>
<Meta>
<Format xmlns=”syncml:metinf”>chr</Format>
</Meta>
<Data>TestMDMServer</Data>
<!-- Data Field in Threshold is now IGNORED -->
</Item>
</Exec>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

1092
windows/client-management/mdm/dmclient-ddf-file.md Normal file
View File

File diff suppressed because it is too large Load Diff

235
windows/client-management/mdm/dmprocessconfigxmlfiltered.md Normal file
View File

@ -0,0 +1,235 @@
---
title: DMProcessConfigXMLFiltered function
description: Configures phone settings by using OMA Client Provisioning XML.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
Search.Refinement.TopicID: 184
ms.assetid: 31D79901-6206-454C-AE78-9B85A3B3487F
keywords: ["DMProcessConfigXMLFiltered function"]
topic_type:
- apiref
api_name:
- DMProcessConfigXMLFiltered
api_location:
- dmprocessxmlfiltered.dll
api_type:
- DllExport
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DMProcessConfigXMLFiltered function
> **Important**  
The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. Please see [Connectivity configuration](https://msdn.microsoft.com/en-us/library/windows/hardware/dn757424) for more information about the new process for provisioning connectivity configuration. However, this function is still supported for other OEM uses.
Configures phone settings by using OMA Client Provisioning XML. Use of this function is strictly limited to the following scenarios.
- Adding dynamic credentials for OMA Client Provisioning.
- Manufacturing test applications. These applications and the supporting drivers must be removed from the phones before they are sold.
Microsoft recommends that this function is not used to configure the following types of settings.
- Security settings that are configured by using CertificateStore, SecurityPolicy, and RemoteWipe, unless they are related to OMA DM or OMA Client Provisioning security policies.
- Non-cellular data connection settings (such as Hotspot settings).
- File system files and registry settings, unless they are used for OMA DM account management, mobile operator data connection settings, or manufacturing tests.
- Email settings.
> **Note**  The **DMProcessConfigXMLFiltered** function has full functionality in Windows 10 Mobile and Windows Phone 8.1, but it has a read-only functionality in Windows 10 desktop.
 
## Syntax
```C++
HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered(
       LPCWSTR pszXmlIn,
 const WCHAR   **rgszAllowedCspNode,
 const DWORD   dwNumAllowedCspNodes,
       BSTR    *pbstrXmlOut
);
```
## Parameters
*pszXmlIn*
<ul style="list-style-type:none">
<li>\[in\] The nullterminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. **DMProcessConfigXMLFiltered** accepts only OMA Client Provisioning XML (also known as WAP provisioning). It does not accept OMA DM SyncML XML (also known as SyncML).</li>
</ul>
<br>
*rgszAllowedCspNode*
<ul style="list-style-type:none">
<li>\[in\] Array of **WCHAR\*** that specify which configuration service provider nodes are allowed to be invoked.</li>
</ul>
<br>
*dwNumAllowedCspNodes*
<ul style="list-style-type:none">
<li>\[in\] Number of elements passed in *rgszAllowedCspNode*.</li>
</ul>
<br>
*pbstrXmlOut*
<ul style="list-style-type:none">
<li>\[out\] The resulting nullterminated XML from configuration. The caller of **DMProcessConfigXMLFiltered** is responsible for cleanup of the output buffer that the *pbstrXmlOut* parameter references. Use [**SysFreeString**](https://msdn.microsoft.com/library/windows/hardware/ms221481) to free the memory.</li>
</ul>
<br>
If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document does not contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned.
## Return value
Returns the standard **HRESULT** value **S\_OK** to indicate success. The following table shows the additional error codes that may be returned.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Return code</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p><strong>CONFIG_E_OBJECTBUSY</strong></p></td>
<td style="vertical-align:top"><p>Another instance of the configuration management service is currently running.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p><strong>CONFIG_E_ENTRYNOTFOUND</strong></p></td>
<td style="vertical-align:top"><p>No metabase entry was found.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p><strong>CONFIG_E_CSPEXCEPTION</strong></p></td>
<td style="vertical-align:top"><p>An exception occurred in one of the configuration service providers.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p><strong>CONFIG_E_TRANSACTIONINGFAILURE</strong></p></td>
<td style="vertical-align:top"><p>A configuration service provider failed to roll back properly. The affected settings might be in an unknown state.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p><strong>CONFIG_E_BAD_XML</strong></p></td>
<td style="vertical-align:top"><p>The XML input is invalid or malformed.</p></td>
</tr>
</tbody>
</table>
 
## Remarks
The processing of the XML is transactional; either the entire document gets processed successfully or none of the settings are processed. Therefore, the **DMProcessConfigXMLFiltered** function processes only one XML configuration request at a time.
The usage of **DMProcessConfigXMLFiltered** depends on the configuration service providers that are used. For example, if the input .provxml contains the following two settings:
``` XML
<wap-provisioningdoc>
    <characteristic type="NAPDEF">
        <characteristic type="Internet" mwid="1">
            <parm name="NAME" value="Contoso Internet APN"/>
            <parm name="BEARER" value="GSM-GPRS"/>
            <parm name="NAP-ADDRESS" value="wap.contoso"/>
            <parm name="NAP-ADDRTYPE" value="APN"/>
            <parm name="INTERNET" value="1"/>
        </characteristic>
    </characteristic>
    <characteristic type="BrowserFavorite">
        <characteristic type="Contoso">
            <parm name="URL" value="http://www.contoso.com"/>
        </characteristic>
    </characteristic>
</wap-provisioningdoc>
```
Then, the second parameter in the call to **DMProcessConfigXMLFiltered** would have to have the following definition.
``` C++
LPCWSTR rgszAllowedCspNodes[] =
{
    L"NAPDEF",
    L"BrowserFavorite"
};
```
This array of configuration service provider names indicates which .provxml contents should be present. If the provxml contains "EMAIL2" provisioning but *rgszAllowedCspNodes* does not contain EMAIL2, then **DMProcessConfigXMLFiltered** fails with an **E\_ACCESSDENIED** error code.
The following code sample shows how this array would be passed in. Note that *szProvxmlContent* does not show the full XML contents for brevity. In actual usage, the "…" would contain the full XML string shown above.
``` C++
WCHAR szProvxmlContent[] = L"<wap-provisioningdoc>...</wap-provisioningdoc>";
BSTR bstr = NULL;
HRESULT hr = DMProcessConfigXMLFiltered(
                szProvxmlContent,
                rgszAllowedCspNodes,
                _countof(rgszAllowedCspNodes),
                &bstr
                );
/* check error */
if ( bstr != NULL )
{
    SysFreeString( bstr );
    bstr = NULL;
}
```
## Requirements
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>Minimum supported client</p></td>
<td style="vertical-align:top"><p>None supported</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Minimum supported server</p></td>
<td style="vertical-align:top"><p>None supported</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Minimum supported phone</p></td>
<td style="vertical-align:top"><p>Windows Phone 8.1</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Header</p></td>
<td style="vertical-align:top"><p>Dmprocessxmlfiltered.h</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Library</p></td>
<td style="vertical-align:top"><p>Dmprocessxmlfiltered.lib</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>DLL</p></td>
<td style="vertical-align:top"><p>Dmprocessxmlfiltered.dll</p></td>
</tr>
</tbody>
</table>
## See also
[**SysFreeString**](https://msdn.microsoft.com/library/windows/hardware/ms221481)
 

66
windows/client-management/mdm/dmsessionactions-csp.md Normal file
View File

@ -0,0 +1,66 @@
---
title: DMSessionActions CSP
description: DMSessionActions CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DMSessionActions CSP
The DMSessionActions configuration service provider (CSP) is used to manage:
- the number of sessions the client skips if the device is in a low power state
- which CSP nodes should send an alert back to the server if there were any changes.
This CSP was added in Windows 10, version 1703.
The following diagram shows the DMSessionActions configuration service provider in tree format.
![dmsessionactions csp](images/provisioning-csp-dmsessionactions.png)
<a href="" id="vendor-msft-dmsessionactions"></a>**./Device/Vendor/MSFT/DMSessionActions or ./User/Vendor/MSFT/DMSessionActions**
<p style="margin-left: 20px">Defines the root node for the DMSessionActions configuration service provider.</p>
<a href="" id="providerid"></a>**_ProviderID_**
<p style="margin-left: 20px">Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means that there should be only one ProviderID node under NodeCache. </p>
<p style="margin-left: 20px">Scope is dynamic. Supported operations are Get, Add, and Delete.</p>
<a href="" id="checkinalertconfiguration"></a>**_ProviderID_/CheckinAlertConfiguration**
<p style="margin-left: 20px">Node for the custom configuration of alerts to be sent during MDM sync session.</p>
<a href="" id="nodes"></a>**_ProviderID_/CheckinAlertConfiguration/Nodes**
<p style="margin-left: 20px">Required. Root node for URIs to be queried. Scope is dynamic.</p>
<p style="margin-left: 20px">Supported operation is Get.</p>
<a href="" id="nodeid"></a>**_ProviderID_/CheckinAlertConfiguration/Nodes/_NodeID_**
<p style="margin-left: 20px">Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.</p>
<p style="margin-left: 20px">Supported operations are Get, Add, and Delete.</p>
<a href="" id="nodeuri"></a>**_ProviderID_/CheckinAlertConfiguration/Nodes/_NodeID_/NodeURI**
<p style="margin-left: 20px">Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="alertdata"></a>**AlertData**
<p style="margin-left: 20px">Node to query the custom alert per server configuration</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
<a href="" id="powersettings"></a>**PowerSettings**
<p style="margin-left: 20px">Node for power related configrations</p>
<a href="" id="maxskippedsessionsinlowpowerstate"></a>**PowerSettings/MaxSkippedSessionsInLowPowerState**
<p style="margin-left: 20px">Maximum number of continuous skipped sync sessions when the device is in low power state.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="maxtimesessionsskippedinlowpowerstate"></a>**PowerSettings/MaxTimeSessionsSkippedInLowPowerState**
<p style="margin-left: 20px">Maximum time in minutes when the device can skip the check-in with the server if the device is in low power state. </p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>

473
windows/client-management/mdm/dmsessionactions-ddf.md Normal file
View File

@ -0,0 +1,473 @@
---
title: DMSessionActions DDF file
description: DMSessionActions DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DMSessionActions DDF file
> [!WARNING]
> Some information relates to prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **DMSessionActions** configuration service provider.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>DMSessionActions</NodeName>
<Path>./User/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.1/MDM/DMSessionActions</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ProviderID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>CheckinAlertConfiguration</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Nodes</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>NodeID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>NodeURI</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>AlertData</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PowerSettings</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>MaxSkippedSessionsInLowPowerState</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxTimeSessionsSkippedInLowPowerState</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>DMSessionActions</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.1/MDM/DMSessionActions</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ProviderID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>CheckinAlertConfiguration</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Nodes</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>NodeID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>NodeURI</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>AlertData</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PowerSettings</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>MaxSkippedSessionsInLowPowerState</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxTimeSessionsSkippedInLowPowerState</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```

226
windows/client-management/mdm/dynamicmanagement-csp.md Normal file
View File

@ -0,0 +1,226 @@
---
title: DynamicManagement CSP
description: DynamicManagement CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DynamicManagement CSP
Windows 10 allows you to manage devices differently depending on location, network, or time.  In Windows 10, version 1703 the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device cant reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
This CSP was added in Windows 10, version 1703.
The following diagram shows the DynamicManagement configuration service provider in tree format.
![dynamicmanagement csp](images/provisioning-csp-dynamicmanagement.png)
<a href="" id="dynamicmanagement"></a>**DynamicManagement**
<p style="margin-left: 20px">The root node for the DynamicManagement configuration service provider.</p>
<a href="" id="notificationsenabled"></a>**NotificationsEnabled**
<p style="margin-left: 20px">Boolean value for sending notification to the user of a context change.</p>
<p style="margin-left: 20px">Default value is False. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Example to turn on NotificationsEnabled:</p>
``` syntax
<Replace>
<CmdID>100</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DynamicManagement/NotificationsEnabled</LocURI>
</Target>
<Meta>
<Type xmlns="syncml:metinf">text/plain</Type>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Replace>
```
<a href="" id="activelist"></a>**ActiveList**
<p style="margin-left: 20px">A string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000..</p>
<p style="margin-left: 20px">Supported operation is Get.</p>
<a href="" id="contexts"></a>**Contexts**
<p style="margin-left: 20px">Node for context information.</p>
<p style="margin-left: 20px">Supported operation is Get.</p>
<a href="" id="contextid"></a>***ContextID***
<p style="margin-left: 20px">Node created by the server to define a context. Maximum amount of characters allowed is 38.</p>
<p style="margin-left: 20px">Supported operations are Add, Get, and Delete.</p>
<a href="" id="signaldefinition"></a>**SignalDefinition**
<p style="margin-left: 20px">Signal Definition XML.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="settingspack"></a>**SettingsPack**
<p style="margin-left: 20px">Settings that get applied when the Context is active.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="settingspackresponse"></a>**SettingsPackResponse**
<p style="margin-left: 20px">Response from applying a Settings Pack that contains information on each individual action..</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
<a href="" id="contextstatus"></a>**ContextStatus**
<p style="margin-left: 20px">Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed..</p>
<p style="margin-left: 20px">Value type is integer. Supported operation is Get.</p>
<a href="" id="altitude"></a>**Altitude**
<p style="margin-left: 20px">A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities..</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="alertsenabled"></a>**AlertsEnabled**
<p style="margin-left: 20px">A Boolean value for sending an alert to the server when a context fails.</p>
<p style="margin-left: 20px">Supported operations are Get and Replace.</p>
## Examples
Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100 meters radius of the specified latitude/longitude
``` syntax
<Replace>
<CmdID>200</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DynamicManagement/Contexts/Bldg109/SettingsPack</LocURI>
</Target>
<Meta>
<Type xmlns="syncml:metinf">text/plain</Type>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;SyncML&gt;
&lt;SyncBody&gt;&lt;Replace&gt;&lt;CmdID&gt;1001&lt;/CmdID&gt;&lt;Item&gt;&lt;Target&gt;&lt;LocURI&gt;./Vendor/MSFT/Policy/Config/Experience/AllowCortana&lt;/LocURI&gt;&lt;/Target&gt;&lt;Meta&gt;&lt;Format xmlns=&quot;syncml:metinf&quot;&gt;int&lt;/Format&gt;&lt;/Meta&gt;&lt;Data&gt;0&lt;/Data&gt;&lt;/Item&gt;&lt;/Replace&gt;&lt;Final/&gt;&lt;/SyncBody&gt;&lt;/SyncML&gt;</Data>
</Item>
</Replace>
<Replace>
<CmdID>201</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DynamicManagement/Contexts/Bldg109/SignalDefinition</LocURI>
</Target>
<Meta>
<Type xmlns="syncml:metinf">text/plain</Type>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>
&lt;rule schemaVersion=&quot;1.0&quot;&gt;
&lt;and&gt;
&lt;signal type="geoloc" latitude="47.6375" longitude="-122.1402" radiusInMeters="100"/&gt;
&lt;signal type=&quot;time&quot;&gt;
&lt;daily startTime=&quot;09:00:00&quot; endTime=&quot;17:00:00&quot;/&gt;
&lt;/signal&gt;
&lt;/and&gt;
&lt;/rule&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>202</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DynamicManagement/Contexts/Bldg109/Altitude</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>3</Data>
</Item>
</Replace>
```
Disable camera using network trigger with time trigger, from 9-5, when ip4 gateway is 192.168.0.1
``` syntax
<Replace>
<CmdID>300</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DynamicManagement/Contexts/NetworkWithTime/SettingsPack</LocURI>
</Target>
<Meta>
<Type xmlns="syncml:metinf">text/plain</Type>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;SyncML&gt;
&lt;SyncBody&gt;&lt;Replace&gt;&lt;CmdID&gt;1002&lt;/CmdID&gt;&lt;Item&gt;&lt;Target&gt;&lt;LocURI&gt;./Vendor/MSFT/Policy/Config/Camera/AllowCamera&lt;/LocURI&gt;&lt;/Target&gt;&lt;Meta&gt;&lt;Format xmlns=&quot;syncml:metinf&quot;&gt;int&lt;/Format&gt;&lt;/Meta&gt;&lt;Data&gt;0&lt;/Data&gt;&lt;/Item&gt;&lt;/Replace&gt; &lt;Final/&gt;&lt;/SyncBody&gt;&lt;/SyncML&gt;</Data>
</Item>
</Replace>
<Replace>
<CmdID>301</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DynamicManagement/Contexts/ NetworkWithTime /SignalDefinition</LocURI>
</Target>
<Meta>
<Type xmlns="syncml:metinf">text/plain</Type>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>
&lt;rule schemaVersion=&quot;1.0&quot;&gt;
&lt;and&gt;
&lt;signal type="ipConfig"&gt;
&lt;ipv4Gateway&gt;192.168.0.1&lt;/ipv4Gateway&gt;
&lt;/signal&gt;
&lt;signal type=&quot;time&quot;&gt;
&lt;daily startTime=&quot;09:00:00&quot; endTime=&quot;17:00:00&quot;/&gt;
&lt;/signal&gt;
&lt;/and&gt;
&lt;/rule&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>302</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DynamicManagement/Contexts/ NetworkWithTime /Altitude</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>10</Data>
</Item>
</Replace>
```
Delete a context
``` syntax
<Delete>
<CmdID>400</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DynamicManagement/Contexts/NetworkWithTime</LocURI>
</Target>
</Item>
</Delete>
```
Get ContextStatus and SignalDefinition from a specific context
``` syntax
<Get>
<CmdID>400</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DynamicManagement/Contexts/NetworkWithTime/ContextStatus</LocURI>
</Target>
</Item>
</Get>
<Get>
<CmdID>401</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DynamicManagement/Contexts/NetworkWithTime/SignalDefinition </LocURI>
</Target>
</Item>
</Get>
```

320
windows/client-management/mdm/dynamicmanagement-ddf.md Normal file
View File

@ -0,0 +1,320 @@
---
title: DynamicManagement DDF file
description: DynamicManagement DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DynamicManagement DDF file
This topic shows the OMA DM device description framework (DDF) for the **DynamicManagement** configuration service provider.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>DynamicManagement</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>NotificationsEnabled</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>A Boolean value that sets if the user is notified of a context change.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>NotificationsEnabled</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ActiveList</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>A string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ActiveList</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Contexts</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Contexts</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
</AccessType>
<Description>Node created by the server to define a context. Maximum amount of characters allowed is 38.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ContextID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>SignalDefinition</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>Signal Definition XML</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>SignalDefinition</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SettingsPack</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>Settings that get applied when the Context is active.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>SettingsPack</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SettingsPackResponse</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Response from applying a Settings Pack, contains information on each individual action.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>SettingsPackResponse</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ContextStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ContextStatus</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Altitude</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>A value that determines how to handle resolution of applying multiple contexts on the device. Required, and must be distinct of other priorities.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Altitude</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>AlertsEnabled</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>True</DefaultValue>
<Description>A Boolean value that sets if when a context fails, the CSP sends an alert to the Server</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>AlertsEnabled</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```

300
windows/client-management/mdm/eap-configuration.md Normal file
View File

@ -0,0 +1,300 @@
---
title: EAP configuration
description: The topic provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile and information about EAP certificate filtering in Windows 10.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: DD3F2292-4B4C-4430-A57F-922FED2A8FAE
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EAP configuration
The topic provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile and information about EAP certificate filtering in Windows 10.
## Create an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile
Here is an easy way to get the EAP configuration from your desktop using the rasphone tool that is shipped in the box.
1. Run rasphone.exe.
![vpnv2 rasphone](images/vpnv2-csp-rasphone.png)
2. If you don't currently have any VPN connections and you see the following message, click **OK**.
![vpnv2 eap configuration](images/vpnv2-csp-networkconnections.png)
3. Select **Workplace network** in the wizard.
![vpnv2 eap configuration](images/vpnv2-csp-setupnewconnection.png)
4. Enter any dummy information for the internet address and connection name. These can be fake since it does not impact the authentication parameters.
![vpnv2 eap configuration](images/vpnv2-csp-setupnewconnection2.png)
5. Create a fake VPN connection. In the UI shown below, click **Properties**.
![vpnv2 eap configuration](images/vpnv2-csp-choosenetworkconnection.png)
6. In the **Test Properties** dialog, click the **Security** tab.
![vpnv2 eap configuration](images/vpnv2-csp-testproperties.png)
7. In the **Security** tab, select **Use Extensible Authentication Protocol (EAP)** radio button.
![vpnv2 eap configuration](images/vpnv2-csp-testproperties2.png)
8. From the drop down menu, select the EAP method that you want to configure. Then click **Properties** to configure as needed.
![vpnv2 eap configuration](images/vpnv2-csp-testproperties3.png)![vpnv2 eap configuration](images/vpnv2-csp-testproperties4.png)
9. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
``` syntax
Get-VpnConnection -Name Test
```
<a href="" id="pow"></a>Here is an example output.
``` syntax
Name : Test
ServerAddress : 1.1.1.1
AllUserConnection : False
Guid : {EC87F6C9-8823-416C-B92B-517D592E250F}
TunnelType : Automatic
AuthenticationMethod : {Eap}
EncryptionLevel : Optional
L2tpIPsecAuth : Certificate
UseWinlogonCredential : False
EapConfigXmlStream : #document
ConnectionStatus : Disconnected
RememberCredential : True
SplitTunneling : False
DnsSuffix :
IdleDisconnectSeconds : 0
```
``` syntax
$a = Get-VpnConnection -Name Test
```
``` syntax
$a.EapConfigXmlStream.InnerXml
```
Here is an example output
``` syntax
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.co
m/provisioning/EapCommon">13</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorTy
pe xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisi
oning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="h
ttp://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.co
m/provisioning/EapTlsConnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleCertSel
ection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPr
omptForServerValidation><ServerNames></ServerNames></ServerValidation><DifferentUsername>false</DifferentUsername><Perform
ServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
<AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</AcceptServerName><TLSEx
tensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"><FilteringInfo xmlns="http://www.micro
soft.com/provisioning/EapTlsConnectionPropertiesV3"><ClientAuthEKUList Enabled="true" /><AnyPurposeEKUList Enabled="true"
/></FilteringInfo></TLSExtensions></EapType></Eap></Config></EapHostConfig>
```
**Note**  You should check with MDM vendor if you need to pass this XML in escaped format. The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
- C:\\Windows\\schemas\\EAPHost
- C:\\Windows\\schemas\\EAPMethods
 
## EAP certificate filtering
In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate.
Enterprises deploying certificate based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This can lead to issues such as:
- The user may be prompted to select the certificate.
- The wrong certificate may get auto selected and cause an authentication failure.
A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication.
EAP XML must be updated with relevant information for your environment This can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
- For Wi-Fi, look for the &lt;EAPConfig&gt; section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under &lt;EAPConfig&gt; with your updated XML and update your Wi-Fi profile. You might need to refer to your MDMs guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field.
For information about EAP Settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>
For information about generating an EAP XML, see EAP configuration
For more information about extended key usage, see <http://tools.ietf.org/html/rfc5280#section-4.2.1.12>
For information about adding extended key usage (EKU) to a certificate, see <https://technet.microsoft.com/library/cc731792.aspx>
The following list describes the prerequisites for a certificate to be used with EAP:
- The certificate must have at least one of the following EKU (Extended Key Usage) properties:
- Client Authentication
- As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2
- Any Purpose
- An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that additional non-critical or custom EKUs can still be added to the certificate for effective filtering.
- All Purpose
- As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but does not want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes.
- The user or the computer certificate on the client chains to a trusted root CA
- The user or the computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
- The user or the computer certificate does not fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.
The following XML sample explains the properties for the EAP TLS XML including certificate filtering.
> **Note**  For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements.
 
``` syntax
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
<!--The above property defines the Method type for EAP, 13 means EAP TLS -->
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
<!--The 3 properties above define the method publishers, this is seen primarily in 3rd party Vendor methods.-->
<!-- For Microsoft EAP TLS the value of the above fields will always be 0 -->
</EapMethod>
<!-- Now that the EAP Method is Defined we will go into the Configuration -->
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>13</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<!-- Credential Source can be either CertificateStore or SmartCard -->
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
<!--SimpleCertSelection automatically selects a cert if there are mutiple identical (Same UPN, Issuer, etc.) certs.-->
<!--It uses a combination of rules to select the right cert-->
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<!-- ServerValidation fields allow for checks on whether the server being connected to and the server cert being used are trusted -->
<DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
<ServerNames/>
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation>
<AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
<TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
<!-- For filtering the relevant information is below -->
<FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
<CAHashList Enabled="true">
<!-- The above implies that you want to filter by Issuer Hash -->
<IssuerHash>ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
<!-- Issuing certs thumbprint goes here-->
</IssuerHash>
<!-- You can add multiple entries and it will find the list of certs that have at least one of these certs in its chain-->
</CAHashList>
<EKUMapping>
<!-- This section defines Custom EKUs that you may be adding-->
<!-- You do not need this section if you do not have custom EKUs -->
<!-- You can have multiple EKUs defined here and then referenced below as shown -->
<EKUMap>
<EKUName>
<!--Add a friendly Name for an EKU here for example -->ContostoITEKU</EKUName>
<EKUOID>
<!--Add the OID Value your CA adds to the certificate here, for example -->1.3.6.1.4.1.311.42.1.15</EKUOID>
</EKUMap>
<!-- All the EKU Names referenced in the example below must first be defined here
<EKUMap>
<EKUName>Example1</EKUName>
<EKUOID>2.23.133.8.3</EKUOID>
</EKUMap>
<EKUMap>
<EKUName>Example2</EKUName>
<EKUOID>1.3.6.1.4.1.311.20.2.1</EKUOID>
</EKUMap>
-->
</EKUMapping>
<ClientAuthEKUList Enabled="true">
<!-- The above implies that you want certs with Client Authentication EKU to be used for authentication -->
<EKUMapInList>
<!-- This section implies that the certificate should have the following custom EKUs in addition to the Client Authentication EKU -->
<EKUName>
<!--Use the name from the EKUMap Field above-->ContostoITEKU</EKUName>
</EKUMapInList>
<!-- You can have multiple Custom EKUs mapped here, Each additional EKU will be processed with an AND operand -->
<!-- For example, Client Auth EKU AND ContosoITEKU AND Example1 etc. -->
<EKUMapInList>
<EKUName>Example1</EKUName>
</EKUMapInList>
</ClientAuthEKUList>
<AllPurposeEnabled>true</AllPurposeEnabled>
<!-- Implies that a certificate with the EKU field = 0 will be selected -->
<AnyPurposeEKUList Enabled="true"/>
<!-- Implies that a certificate with the EKU oid Value of 1.3.6.1.4.1.311.10.12.1 will be selected -->
<!-- Like for Client Auth you can also add Custom EKU properties with AnyPurposeEKUList (but not with AllPurposeEnabled) -->
<!-- So here is what the above policy implies.
The certificate selected will have
Issuer Thumbprint = ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
AND
((Client Authentication EKU AND ContosoITEKU) OR (AnyPurposeEKU) OR AllPurpose Certificate)
Any certificate(s) that match these criteria will be utilised for authentication
-->
</FilteringInfo>
</TLSExtensions>
</EapType>
</Eap>
</Config>
</EapHostConfig>
```
> **Note**  The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd**
 
Alternately you can use the following procedure to create an EAP Configuration XML.
1. Follow steps 1 through 7 in the EAP configuration topic.
2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.)
![vpn self host properties window](images/certfiltering1.png)
**Note**  For PEAP or TTLS, select the appropriate method and continue following this procedure.
 
3. Click the **Properties** button underneath the drop down menu.
4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
![smart card or other certificate properties window](images/certfiltering2.png)
5. In the **Configure Certificate Selection** menu, adjust the filters as needed.
![configure certificate window](images/certfiltering3.png)
6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box.
7. Close the rasphone dialog box.
8. Continue following the procedure in the EAP configuration topic from Step 9 to get an EAP TLS profile with appropriate filtering.
> **Note**  You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) topic.
 
 
 

342
windows/client-management/mdm/email2-csp.md Normal file
View File

@ -0,0 +1,342 @@
---
title: EMAIL2 CSP
description: EMAIL2 CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: bcfc9d98-bc2e-42c6-9b81-0b5bf65ce2b8
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EMAIL2 CSP
The EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts.
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_MAIL capabilities to be accessed from a network configuration application.
On the desktop, only per user configuration is supported.
 
The following diagram shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
![email2 csp (dm,cp)](images/provisioning-csp-email2.png)
In Windows 10 Mobile, after the users out of box experience, an OEM or mobile operator can use the EMAIL2 configuration service provider to provision the device with a mobile operators proprietary mail over the air. After provisioning, the **Start** screen has a tile for the proprietary mail provider and there is also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status.
Configuration data is not encrypted when sent over the air (OTA). Be aware that this is a potential security risk when sending sensitive configuration data, such as passwords.
> [!IMPORTANT]
> All Add and Replace commands need to be wrapped in an Atomic section.
<a href="" id="email2"></a>**EMAIL2**
The configuration service provider root node.
Supported operation is Get.
<a href="" id="guid"></a>***GUID***
Defines a specific email account. A globally unique identifier (GUID) must be generated for each email account on the device. Provisioning with an account that has the same GUID as an existing one does not create the new account and Add command will fail in this case.
Supported operations are Get, Add, and Delete.
The braces {} around the GUID are required in the EMAIL2 configuration service provider.
- For OMA Client Provisioning, the braces can be sent literally. For example, `<characteristic type="{C556E16F-56C4-4edb-9C64-D9469EE1FBE0}"/>`.
- For OMA DM, the braces must be sent using ASCII values of 0x7B and 0x7D respectively. For example, `<Target><LocURI>./Vendor/MSFT/EMAIL2/0x7BC556E16F-56C4-4edb-9C64-D9469EE1FBE0x7D</LocURI></Target>`
<a href="" id="accounticon"></a>**ACCOUNTICON**
Optional. Returns the location of the icon associated with the account.
Supported operations are Get, Add, Replace and Delete.
The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings, email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired.
<a href="" id="accounttype"></a>**ACCOUNTTYPE**
Required. Specifies the type of account.
Supported operations are Get, Add, Replace and Delete.
Valid values are:
- Email: normal email
- VVM: visual voice mail
<a href="" id="authname"></a>**AUTHNAME**
Required. Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name).
Supported operations are Get, Add, Replace and Delete.
<a href="" id="authrequired"></a>**AUTHREQUIRED**
Optional. Character string that specifies whether the outgoing server requires authentication.
Supported operations are Get, Add, Replace and Delete.
Valid values are one of the following:
- 0 - Server authentication is not required.
- 1 - Server authentication is required.
> **Note**  If this value is not specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED.
 
<a href="" id="authsecret"></a>**AUTHSECRET**
Optional. Character string that specifies the user's password. The same password is used for SMTP authentication.
Supported operations are Get, Add, Replace and Delete.
<a href="" id="domain"></a>**DOMAIN**
Optional. Character string that specifies the incoming server credentials domain. Limited to 255 characters.
Supported operations are Get, Add, Replace and Delete.
<a href="" id="dwnday"></a>**DWNDAY**
Optional. Character string that specifies how many days' worth of email should be downloaded from the server.
Supported operations are Get, Add, Replace and Delete.
Valid values are one of the following:
- -1: Specifies that all email currently on the server should be downloaded.
- 7: Specifies that 7 days worth of email should be downloaded.
- 14: Specifies that 14 days worth of email should be downloaded.
- 30: Specifies that 30 days worth of email should be downloaded.
<a href="" id="inserver"></a>**INSERVER**
Required. Character string that specifies the name of the incoming server name and port number. This is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is:
- server name:port number
Supported operations are Get, Add and Replace.
<a href="" id="linger"></a>**LINGER**
Optional. Character string that specifies the length of time between email send/receive updates in minutes.
Supported operations are Get, Add, Replace and Delete.
Valid values are:
- 0 - Email updates must be performed manually.
- 15 (default) - Wait for 15 minutes between updates.
- 30 - Wait for 30 minutes between updates.
- 60 - Wait for 60 minutes between updates.
- 120 - Wait for 120 minutes between updates.
<a href="" id="keepmax"></a>**KEEPMAX**
Optional. Specifies the maximum size for a message attachment. Attachments beyond this size will not be downloaded but it will remain on the server. The message itself will be downloaded. This value can be set only for IMAP4 accounts.
The limit is specified in KB
Valid values are 0, 25, 50, 125, and 250.
A value of 0 meaning that no limit will be enforced.
Supported operations are Get, Add, Replace and Delete.
<a href="" id="name"></a>**NAME**
Optional. Character string that specifies the name of the sender displayed on a sent email. It should be set to the users name. Limited to 255 characters.
Supported operations are Get, Add, Replace and Delete.
<a href="" id="outserver"></a>**OUTSERVER**
Required. Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is:
- server name:port number
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="replyaddr"></a>**REPLYADDR**
Required. Character string that specifies the reply email address of the user (usually the same as the user email address). Sending email will fail without it. Limited to 255 characters.
Supported operations are Get, Add, Delete and Replace.
<a href="" id="servicename"></a>**SERVICENAME**
Required. Character string that specifies the name of the email service to create or edit (32 characters maximum).
Supported operations are Get, Add, Replace, and Delete.
> **Note**   The EMAIL2 Configuration Service Provider does not support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
 
<a href="" id="servicetype"></a>**SERVICETYPE**
Required. Character string that specifies the type of email service to create or edit (for example, "IMAP4" or "POP3").
Supported operations are Get, Add, Replace, and Delete.
> **Note**   The EMAIL2 Configuration Service Provider does not support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
 
<a href="" id="retrieve"></a>**RETRIEVE**
Optional. Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated.
Valid values are 512, 1024, 2048, 5120, 20480, and 51200.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="serverdeleteaction"></a>**SERVERDELETEACTION**
Optional. Character string that specifies how message is deleted on server. Valid values:
- 1 - delete message on the server
- 2 - keep the message on the server (delete to the Trash folder).
Any other value results in default action, which depends on the transport.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="cellularonly"></a>**CELLULARONLY**
Optional. If this flag is set, the account only uses the cellular network and not Wi-Fi.
Value type is string. Supported operations are Get, Add, Replace, and Delete.
<a href="" id="syncingcontenttypes"></a>**SYNCINGCONTENTTYPES**
Required. Specifies a bitmask for which content types are supported for syncing (eg: Mail, Contacts, Calendar).
- No data (0x0)
- Contacts (0x1)
- Mail (0x2)
- Appointments (0x4)
- Tasks (0x8)
- Notes (0x10)
- Feeds (0x60)
- Network Photo (0x180)
- Group and room (0x200)
- Chat (0x400)
- Email Recipient Email (0x800)
- Server Link (0x1000)
- All items (0xffffffff)
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="contactsserver"></a>**CONTACTSSERVER**
Optional. Server for contact sync if it is different from the email server.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="calendarserver"></a>**CALENDARSERVER**
Optional. Server for calendar sync if it is different from the email server.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="contactsserverrequiressl"></a>**CONTACTSSERVERREQUIRESSL**
Optional. Indicates if the connection to the contact server requires SSL.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="calendarserverrequiressl"></a>**CALENDARSERVERREQUIRESSL**
Optional. Indicates if the connection to the calendar server requires SSL.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="contactssyncschedule"></a>**CONTACTSSYNCSCHEDULE**
Optional. Sets the schedule for syncing contact items.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="calendarsyncschedule"></a>**CALENDARSYNCSCHEDULE**
Optional. Sets the schedule for syncing calendar items.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="smtpaltauthname"></a>**SMTPALTAUTHNAME**
Optional. Character string that specifies the display name associated with the user's alternative SMTP email account.
Supported operations are Get, Add, Replace and Delete.
<a href="" id="smtpaltdomain"></a>**SMTPALTDOMAIN**
Optional. Character string that specifies the domain name for the user's alternative SMTP account.
Supported operations are Get, Add, Replace and Delete.
<a href="" id="smtpaltenabled"></a>**SMTPALTENABLED**
Optional. Character string that specifies if the user's alternate SMTP account is enabled.
Supported operations are Get, Add, Replace and Delete.
A value of "FALSE" specifies that the user's alternate SMTP email account is disabled. A value of "TRUE" specifies that the user's alternate SMTP email account is enabled.
<a href="" id="smtpaltpassword"></a>**SMTPALTPASSWORD**
Optional. Character string that specifies the password for the user's alternate SMTP account.
Supported operations are Get, Add, Replace and Delete.
<a href="" id="tagprops"></a>**TAGPROPS**
Optional. Defines a group of properties with non-standard element names.
Supported operations are Get, Add, Replace and Delete.
<a href="" id="tagprops-8128000b"></a>**TAGPROPS/8128000B**
Optional. Character string that specifies if the incoming email server requires SSL.
Supported operations are Get, Add, Replace and Delete.
Value is one of the following:
- 0 - SSL is not required.
- 1 - SSL is required.
<a href="" id="tagprops-812c000b"></a>**TAGPROPS/812C000B**
Optional. Character string that specifies if the outgoing email server requires SSL.
Supported operations are Get and Replace.
Value is one of the following:
- 0 - SSL is not required.
- 1 - SSL is required.
## Remarks
When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted and all messages and other properties that the transport (for example, Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it is left out in the &lt;LocURI&gt;&lt;/LocURI&gt; block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
- The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set.
- If some but not all of the outgoing server credentials parameters are present then the EMAIL2 Configuration Service Provider will be considered in error.
- Account details cannot be queried unless the account GUID is known. Currently, there is no way to perform a top-level query for account GUIDs.
Windows 10 Mobile supports Transport Layer Security (TLS), but this cannot be explicitly enabled through this configuration service provider, and the user cannot enable TLS through the UI. If the connection to the mail server is initiated with deferred SSL, the mail server can send STARTTLS as a server capability and TLS will be enabled. The following steps show how to enable TLS.
1. The device attempts to connect to the mail server using SSL.
2. If the SSL connection fails, the device attempts to connect using deferred SSL.
3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device does not attempt another connection.
4. If the user did not select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection.
5. If the connection succeeds using any of the encryption protocols, the device requests the server capabilities.
6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, the device enables TLS. TLS is not enabled on connections using SSL or non-SSL.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

884
windows/client-management/mdm/email2-ddf-file.md Normal file
View File

@ -0,0 +1,884 @@
---
title: EMAIL2 DDF file
description: EMAIL2 DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EMAIL2 DDF file
This topic shows the OMA DM device description framework (DDF) for the **EMAIL2** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>EMAIL2</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Root characteristic</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/EMAIL2</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>This is unique and identifies a particular account. Also, we can only have 6 additional email accounts. So, depending on how many are already there on the device, we can have from 1 to 6.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrN>1</ZeroOrN>
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Account GUID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ACCOUNTICON</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>The location of the icon associated with the account. </Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ACCOUNTTYPE</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the type of account. Valid values are: Email - normal email, VVM - visual voice mail</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AUTHNAME</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>User Name for Incoming server. Limited to 255 chars.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AUTHREQUIRED</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>This will specify whether the outgoing server requires authentication.
1 for TRUE
0 for FALSE(default).
Note: If this is not specified then SMTP authentication will not be done. Also, this is different from the SMTPALTENABLED. That is to specify different set of credentials for SMTP.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AUTHSECRET</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Password. Limited to 255 chars.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DOMAIN</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Incoming server credentials domain. Limited to 255 chars.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DWNDAY</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies how many days of email to download. (number of days worth going back into the past)</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>INSERVER</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>The incoming server name and port number. Limited to 62 chars. If the standard port number is used, the port number isn't necessary to be specified in this node. The value format is:
Server name:port number
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LINGER</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies how frequently Messaging performs scheduled send/receives. (Specified as the length of time in minutes, between updates.)</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>KEEPMAX</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the maximum size for a message's attachment. (Attachments beyond this size will not be downloaded but will remain on the server. The message itself will be downloaded). This value can be set only for IMAP4 accounts. The limit is specified in KB, with a value of 0 meaning that no limit will be enforced.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>NAME</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>User Display Name. Limited to 255 chars</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>OUTSERVER</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>The outcoming server name and port number. Limited to 62 chars. The value format is:
Server name:port number
If the standard port number is used, the port number isn't necessary to be specified in this node.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>REPLYADDR</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>SMTP reply address of the user. Limited to 255 chars.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SERVICENAME</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>This is the account name. It's limited to 32 characters.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SERVICETYPE</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>This is the type of account. Valid values are POP3/IMAP4.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RETRIEVE</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the maximum size(in bytes) for messages retrieved from the incoming email server. Messages beyond this size will still be retrieved, but will be truncated.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SERVERDELETEACTION</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies how message is deleted on server.
1 for delete message on server,
2 for keep the message on server (delete to Trash folder),
any other value default action is used, which depends on the transport.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CELLULARONLY</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>If this flag is set, the account uses cellular network only and not Wi-Fi.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SYNCINGCONTENTTYPES</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies a bitmask for which content types are supported for syncing (eg: Mail, Contacts, Calendar). No data (0x0), Contacts (0x1), Mail (0x2), Appointments (0x4), Tasks (0x8), Notes (0x10), Feeds (0x60), Network Photo (0x180), Group and room (0x200), Chat (0x400), Email Recipient Email (0x800), Server Link (0x1000), All items (0xffffffff).</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CONTACTSSERVER</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>Server for contact sync if it is different from the email server.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CALENDARSERVER</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>Server for calendar sync if it is different from the email server.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CONTACTSSERVERREQUIRESSL</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>Defines if the connection to the contact server requires SSL.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CALENDARSERVERREQUIRESSL</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>Defines if the connection to the calendar server requires SSL.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CONTACTSSYNCSCHEDULE</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>Sets the schedule for syncing contact items.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CALENDARSYNCSCHEDULE</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>Sets the schedule for syncing calendar items.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SMTPALTAUTHNAME</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>If SMTPALTENABLED is true, then this will have the alternate User Name for SMTP. 255 chars.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SMTPALTDOMAIN</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>If SMTPALTENABLED is true, then this will have the alternate domain for SMTP. 255 chars.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SMTPALTENABLED</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>This is a bool value that specifies if we have separate SMTP credentials.
1 for true
0 for false (default)</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SMTPALTPASSWORD</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>If SMTPALTENABLED is true, then this will have the alternate password for SMTP. 255 chars.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>TAGPROPS</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies that stated parameter element name attributes is nonstandard tag properties.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>8128000B</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specify whether incoming server requires SSL connection.
1- Require SSL connection
0- Doesn't require SSL connection (default)</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>812C000B</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specify whether outgoing server requires SSL connection.
1- Require SSL connection
0- Doesn't require SSL connection (default)</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[EMAIL2 configuration service provider](email2-csp.md)
 
 

530
windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md Normal file
View File

@ -0,0 +1,530 @@
---
title: Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
description: Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: ED3DAF80-847C-462B-BDB1-486577906772
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. However, in some enterprise environments, devices may not be able to access the Internet to retrieve their updates. Because of network restrictions or other enterprise policies, devices must download their updates from an internal location. This document describes how to enable offline updates using System Center Configuration Manager.
Here is a table of update path to Windows 10 Mobile.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Starting SKU</th>
<th>Upgrade to Windows 10 Mobile</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Windows Mobile 6.5</p></td>
<td><p>No</p></td>
</tr>
<tr class="even">
<td><p>Windows Phone 8</p></td>
<td><p>No</p></td>
</tr>
<tr class="odd">
<td><p>Windows Phone 8.1</p></td>
<td><p>Yes</p></td>
</tr>
</tbody>
</table>
 
To configure the MDM service provider and enable the mobile devices to download updates from a predefined internal location, an IT administrator or device administrator must perform a series of manual and automated steps.
Here is the outline of the process:
1. Prepare a test device that can connect to the Internet to download the released update packages.
2. After the updates are downloaded and before pressing the install button, retrieve an XML file on the device that contains all the metadata about each update package.
3. Check the status code in the XML file.
4. Check for registry dependencies.
5. Using a script that we provide, parse the XML file to extract download URLs for the update packages.
6. Download the update packages using the download URLs.
7. Place the downloaded packages on an internal share that is accessible to devices you are updating.
8. Create two additional XML files that define the specific updates to download and the specific locations from which to download the updates, and deploy them onto the production device.
9. Start the update process from the devices.
As a part of the update process, Windows will run data migrators to bring forward configured settings and data on the device. For instance, if the device was configured with a maintenance time or other update policy in Windows Embedded 8.1 Handheld, these settings will automatically get migrated to Windows 10 as part of the update process. If the Handheld device was configured for assigned access lockdown, then this configuration will also get migrated to Windows 10 as part of the update process. This includes ProductId & AumId conversion for all internal apps (including buttonremapping apps).
Note that the migrators do not take care of the following:
- 3rd party apps provided by OEMs
- deprecated 1st party apps, such as Bing News
- deprecated system/application settings, such as Microsoft.Game, Microsoft.IE
In the event of an Enterprise Reset, these migrated settings are automatically persisted.
Down the road, after the upgrade to Windows 10 is complete, if you decide to push down a new wehlockdown.xml, you would need to take the following steps to ensure that the updated settings are persisted through an Enterprise Reset:
1. Delete the TPK\*ppkg and push down a new ppkg with your new configuration to the persistent folder.
2. Push down a new ppkg with your new configuration with higher priority. Note that in ICD, Owner=Microsoft, Rank=0 is the lowest priority; and vise versa. With this step, the old assigned access lockdown configuration will be overwritten.
**Requirements:**
- The test device must be same as the other production devices that are receiving the updates.
- Your test device must be enrolled with System Center Configuration Manager.
- Your device can connect to the Internet.
- Your device must have an SD card with at least 0.5 GB of free space.
- Ensure that the settings app and PhoneUpdate applet are available via Assigned Access.
The following diagram is a high-level overview of the process.
![update process for windows embedded 8.1 devices](images/windowsembedded-update.png)
## Step 1: Prepare a test device to download updates from Microsoft Update
Define the baseline update set that will be applied to other devices. Use a device that is running the most recent image as the test device.
Trigger the device to check for updates either manually or using System Center Configuration Manager.
**Manually**
1. From the device, go to **Settings** &gt; **Phone updates** &gt; **Check for updates**.
2. Sync the device. Go to **Settings** &gt; **Workplace** &gt; **Enrolled** and click the refresh icon. Repeat as needed.
3. Follow the prompts to download the updates, but do not press the install button.
> **Note**  There is a bug in all OS versions up to GDR2 where the CSP will not set the assigned value. There is no way to change or set this until GDR2 is deployed onto the device.
**Using System Center Configuration Manager**
1. Remotely trigger a scan of the test device by deploying a Trigger Scan Configuration Baseline.
![device scan using sccm](images/windowsembedded-update2.png)
2. Set the value of this OMA-URI by browsing to the settings of this Configuration Item and selecting the newly created Trigger Scan settings from the previous step.
![device scan using sccm](images/windowsembedded-update3.png)
3. Ensure that the value that is specified for this URI is greater than the value on the device(s) and that the Remediate noncompliant rules when supported option is checked. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value.
![device scan using sccm](images/windowsembedded-update4.png)
4. Create a Configuration Baseline for TriggerScan and Deploy. It is recommended that this Configuration Baseline be deployed after the Controlled Updates Baseline has been applied to the device (the corresponding files are deployed on the device through a device sync session).
5. Follow the prompts for downloading the updates, but do not install the updates on the device.
## <a href="" id="step2"></a>Step 2: Retrieve the device update report XML from the device
After updates are downloaded (but not installed on the device), the process generates an XML file that contains information about the packages it downloaded. You must retrieve this XML file.
There are two ways to retrieve this file from the device; one pre-GDR1 and one post-GDR1.
**Pre-GDR1: Parse a compliance log from the device in ConfigMgr**
1. Create a Configuration Item using ConfigMgr to look at the registry entry ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/ApprovedUpdatesXml.
> **Note**  In System Center Configuration Manager, you may see an error about exceeding the file limit when using ApprovedUpdatesXml. However, the process still completes even if the file is large.
If the XML file is greater than 32K you can also use ./Vendor/MSFT/FileSystem/&lt;*filename*&gt;.
2. Set a baseline for this Configuration Item with a “dummy” value (such as zzz), and ensure that you do not remediate it.
The dummy value is not be set; it is only used for comparison.
3. After the report XML is sent to the device, System Center Configuration Manager displays a compliance log that contains the report information. The log can contain significant amount of data.
4. Parse this log for the report XML content.
For a step-by-step walkthrough, see [How to retrieve a device update report using System Center Configuration Manager logs](#how-to-retrieve-a-device-update-report-using-system-center-configuration-manager-logs).
**Post-GDR1: Retrieve the report xml file using an SD card**
1. Create a Configuration Item using ConfigMgr to set a registry value for ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/CopyUpdateReportToSDCard.
2. The value that you define for this Configuration Item is defined by the relative path to the SD card which includes the filename of the XML file (such as SDCardRoot\\Update\\DUReport.xml).
3. Remove the SD card from device and copy the XML file to your PC.
## Step 3: Check the status code in the XML file
Make sure that the status code is set to 0000-0000 (success).
## Step 4: Check for registry dependencies
Remove any registry dependencies in the XML file.
## Step 5: Extract download URLs from the report XML
Use the [example PowerShell script](#example-powershell-script) to extract the download URLs from the XML file or parse it manually.
## Step 6: Retrieve update packages using download URLs
Use a script or manually download each update package to a PC or an internal share.
## Step 7: Place the update packages on an accessible share
Put all the update packages into an internal share that is accessible to all the devices that need these updates. Ensure that the internal share can support multiple devices trying to access the updates at the same time.
## Step 8: Create two XML files for production devices to select updates and download locations
Here are the two files.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Term</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>DUControlledUpdates.xml</strong></p></td>
<td><p>This is the same file as the report XML retrieved in Step 2 with a different name. This file tells the device the specific update packages to download. See Appendix for example</p>
<p></p></td>
</tr>
<tr class="even">
<td><p><strong>DUCustomContentUris.xml</strong></p></td>
<td><p>This file maps the update packages in DUControlledUpdates.xml to the internal share location.</p></td>
</tr>
</tbody>
</table>
 
For a walkthrough of these steps, [How to deploy controlled updates](#how-to-deploy-controlled-updates). Ensure that the trigger scan configuration baseline HAS NOT been deployed.
<a href="" id="deploy-controlled-updates"></a>
### How to deploy controlled updates
This process has three parts:
- Create a configuration item for DUControlledUpdates.xml
- Create a configuration item for DUCustomContentURIs.xml
- Create a configuration item for approved updates.
<a href="" id="create-ducontrolledupdates"></a>
**Create a configuration item for DUControlledUpdates.xml**
1. Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then click **Select**.
![embedded device update](images/windowsembedded-update18.png)
2. Browse to the DUControlledUpdates.xml that was created from the test device and specify that file path and name on the device as `NonPersistent\DUControlledUpdates.xml`.
![embedded device update](images/windowsembedded-update19.png)
3. Check the box **Remediate noncompliant settings**.
4. Click **OK**.
<a href="" id="create-ducustomcontent"></a>
**Create a configuration item for DUCustomContentURIs.xml**
1. Create a configuration item and specify that file path and name on the device as `NonPersistent\DUCustomContentURIs.xml`
2. Check the box **Remediate noncompliant settings**.
![embedded device upate](images/windowsembedded-update21.png)
3. Click **OK**.
<a href="" id="create-config-baseline"></a>
**Create a configuration baseline for approved updates**
1. Create a configuration baseline item and give it a name (such as ControlledUpdates).
2. Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then click **OK**.
![embedded device upate](images/windowsembedded-update22.png)
3. Deploy the configuration baseline to the appropriate device or device collection.
![embedded device upate](images/windowsembedded-update23.png)
4. Click **OK**.
## Step 7: Trigger the other devices to scan, download, and install updates
Now that the other "production" or "in-store" devices have the necessary information to download updates from an internal share, the devices are ready for updates.
### Use this process for unmanaged devices
If the update policy of the device is not managed or restricted by System Center Configuration Manager, an update process can be initiated on the device in one of the following ways:
- Initiated by a periodic scan that the device automatically performs.
- Initiated manually through **Settings** -&gt; **Phone Update** -&gt; **Check for Updates**.
### Use this process for managed devices
If the update policy of the device is managed or restricted by MDM, an update process can be initiated on the device in one of the following ways:
- Trigger the device to scan for updates through System Center Configuration Manager.
Ensure that the trigger scan has successfully executed, and then remove the trigger scan configuration baseline.
> **Note**  Ensure that the PhoneUpdateRestriction Policy is set to a value of 0, to ensure that the device will not perform an automatic scan.
- Trigger the device to scan as part of a Maintenance Window defined by the IT Admin in System Center Configuration Manager.
After the installation of updates is completed, the IT Admin can use the DUReport generated in the production devices to determine if the device successfully installed the list of updates. If the device did not, error codes are provided in the DUReport.xml. To retrieve the device update report from a device, perform the same steps defined in [Step 2](#step2).
<a href="" id="example-script"></a>
## Example PowerShell script
``` syntax
param (
# [Parameter (Mandatory=$true, HelpMessage="Input File")]
[String]$inputFile,
# [Parameter (Mandatory=$true, HelpMessage="Download Cache Location")]
[String]$downloadCache,
# [Parameter (Mandatory=$true, HelpMessage="Local Cache URL")]
[String]$localCacheURL
)
#DownloadFiles Function
function DownloadFiles($inputFile, $downloadCache, $localCacheURL)
{
$customContentURIFileCreationError = "Not able to create Custom Content URI File"
#Read the Input File
$report = [xml](Get-Content $inputFile)
# this is where the document will be saved
$customContentURLFile = "$downloadCache\DUCustomContentUris.xml"
New-Item -Path $customContentURLFile -ItemType File -force -ErrorAction SilentlyContinue -ErrorVariable NewItemError > $null
if ($NewItemError -ne "")
{
PrintMessageAndExit $customContentURIFileCreationError
}
# get an XMLTextWriter to create the XML
$XmlWriter = New-Object System.XMl.XmlTextWriter($customContentURLFile,$Null)
# choose a pretty formatting:
$xmlWriter.Formatting = 'Indented'
$xmlWriter.Indentation = 1
$XmlWriter.IndentChar = "`t"
# write the header
$xmlWriter.WriteStartDocument()
$xmlWriter.WriteStartElement('CustomContentUrls')
foreach ($update in $report.UpdateData.coreUpdateMetadata.updateSet.update)
{
if (!$update.destinationFilePath -or !$update.contentUrl)
{
continue;
}
$destFilePath = $update.destinationFilePath.Trim();
$contentUrl = $update.contentUrl.Trim();
Write-Host "Pre-Processing Line: $destFilePath#$contentUrl"
if (($destFilePath -ne "") -and ($destFilePath.Contains("\")) -and ($contentUrl -ne "") -and ($contentUrl.Contains("/")) )
{
$isBundle = $update.isBundle
$revisionId = $update.revisionId
$updateId = $update.updateId
$revisionNum = $update.revisionNum
$fileName = $destFilePath.Substring($destFilePath.LastIndexOf("\") + 1);
#Write-Host "Processing Line: $destFilePath#$contentUrl"
if ($fileName -ne "")
{
$destination = $downloadCache + "\" + $fileName;
Try
{
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($contentUrl, $destination)
Write-Host "Successfull Download: $contentUrl#$destination";
$XmlWriter.WriteStartElement('contentUrl')
$XmlWriter.WriteAttributeString('isBundle', $isBundle)
$XmlWriter.WriteAttributeString('revisionId', $revisionId)
$XmlWriter.WriteAttributeString('updateId', $updateId)
$XmlWriter.WriteAttributeString('revisionNum', $revisionNum)
$XmlWriter.WriteRaw($localCacheURL + $fileName)
$xmlWriter.WriteEndElement()
}
Catch [ArgumentNullException]
{
Write-Host "Content URL is null";
}
Catch [WebException]
{
Write-Host "Invalid Content URL: $contentUrl";
}
Catch
{
Write-Host "Exception in Download: $contentUrl";
}
}
else
{
Write-Host "Ignored Input Line: $contentUrl"
}
}
else
{
Write-Host "Ignored Input Line: $contentUrl"
}
}
# close the "CustomContentUrls" node
$xmlWriter.WriteEndElement()
# finalize the document
$xmlWriter.WriteEndDocument()
$xmlWriter.Flush()
$xmlWriter.Close()
Write-Host "Successfully Created Custom Content URL File: $customContentURLFile"
}
#PrintMessage Function
function PrintMessageAndExit($ErrorMessage)
{
Write-Host $ErrorMessage
exit 1
}
#PrintMessage Function
function PrintUsageAndExit()
{
Write-Host "Usage: Download.ps1 -inputFile <InputFilePath> -downloadCache <CachePath> -localCacheURL <URL>"
exit 1
}
if (($inputFile -eq "") -or ($downloadCache -eq "") -or ($localCacheURL -eq ""))
{
PrintUsageAndExit
}
if (!$localCacheURL.EndsWith("/"))
{
$localCacheURL = $localCacheURL + "/";
}
$inputFileErrorString = "Input File does not exist";
$downloadCacheErrorString = "Download Cache does not exist";
$downloadCacheAddError = "Access Denied in creating the Download Cache Folder";
$downloadCacheRemoveError = "Not able to delete files from Download Cache"
$downloadCacheClearWarningString = "Download Cache not empty. Do you want to Clear";
#Check if Input File Exist
$inputFileExists = Test-Path $inputFile;
if(!$inputFileExists)
{
PrintMessageAndExit($inputFileErrorString)
}
#Check if Download Cache Exist
$downloadCacheExists = Test-Path $downloadCache;
if(!$downloadCacheExists)
{
PrintMessageAndExit($downloadCacheErrorString)
}
$downloadCacheFileCount = (Get-ChildItem $downloadCache).Length;
if ($downloadCacheFileCount -ne 0)
{
#Clear the directory
Remove-Item $downloadCache -Recurse -Force -Confirm -ErrorVariable RemoveItemError -ErrorAction SilentlyContinue > $null
if ($RemoveItemError -ne "")
{
PrintMessageAndExit $downloadCacheRemoveError
}
$childItem = Get-ChildItem $downloadCache -ErrorAction SilentlyContinue > $null
$downloadCacheFileCount = ($childItem).Length;
if ($downloadCacheFileCount -ne 0)
{
PrintMessageAndExit $downloadCacheRemoveError
}
#Create a new directory
New-Item -Path $downloadCache -ItemType Directory -ErrorAction SilentlyContinue -ErrorVariable NewItemError > $null
if ($NewItemError -ne "")
{
PrintMessageAndExit $downloadCacheAddError
}
}
DownloadFiles $inputFile $downloadCache $localCacheURL
```
<a href="" id="how-to-retrieve"></a>
## How to retrieve a device update report using System Center Configuration Manager logs
Use this procedure for pre-GDR1 devices.
**For pre-GDR1 devices**
1. Trigger a device scan. Go to **Settings** -&gt; **Phone Update** -&gt; **Check for Updates**.
Since the DUReport settings have not been remedied, you should see a non-compliance.
2. In System Center Configuration Manager under **Assets and Compliance** &gt; **Compliance Settings**, right-click on **Configuration Items**.
3. Select **Create Configuration Item**.
![device update using sccm](images/windowsembedded-update5.png)
4. Enter a filename (such as GetDUReport) and then choose **Mobile Device**.
5. In the **Mobile Device Settings** page, check the box **Configure Additional Settings that are not in the default settings group**, and the click **Next**.
![device update using sccm](images/windowsembedded-update6.png)
6. In the **Additional Settings** page, click **Add**.
![device update using sccm](images/windowsembedded-update7.png)
7. In the **Browse Settings** page, click **Create Setting**.
![device update](images/windowsembedded-update8.png)
8. Enter a unique **Name**. For the **Setting type**, select **OMA-URI** and for the **Data type**, select **String**.
9. In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, the click **OK**.
![handheld device update](images/windowsembedded-update9.png)
10. In the **Browse Settings** page, click **Close**.
11. In the **Create Configuration Item Wizard** page, check **All Windows Embedded 8.1 Handheld** as the supported platform, and then click **Next**.
![embedded device update](images/windowsembedded-update10.png)
12. Close the **Create Configuration Item Wizard** page.
13. Right-click on the newly create configuration item, and then select the **Compliance Rules** tab.
14. Click the new created mobile device setting (such as DUReport) and then click **Select**.
15. Enter a dummy value (such as zzz) that is different from the one on the device.
![embedded device update](images/windowsembedded-update11.png)
16. Disable remediation by unchecking the **Remediate noncompliant rules when supported** option.
17. Click **OK** to close the Edit Rule page.
18. Create a new configuration baseline. Under **Assets and Compliance** &gt; **Compliance Settings**, right-click on **Configuration Baselines**.
19. Select **Create Configuration Item**.
![embedded device update](images/windowsembedded-update12.png)
20. Enter a baseline name (such as RetrieveDUReport).
21. Add the configuration item that you just created. Select **Add** and then select the configuration item that you just created (such as DUReport).
![embedded device update](images/windowsembedded-update13.png)
22. Click **OK**, then click **OK** again to complete the configuration baseline.
23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created and the select **Deploy**.
![embedded device update](images/windowsembedded-update14.png)
24. Check the check box **Remediate noncompliant rules when supported**.
25. Select the appropriate device collection and define the schedule.
![device update](images/windowsembedded-update15.png)
26. To view the DUReport content, select the appropriate deployment for the configuration saseline that you created. Right-click on the deployment and select **View Status**.
27. Click **Run Summarization** and then click **Refresh**. On the Non-Compliant tab, the test device(s) should be listed.
28. Under **Asset Details**, right-click on the test device, and then select **Mode Details**.
![device update](images/windowsembedded-update16.png)
29. In the Non-compliant tab, you will see the DUReport, but you cannot retrieve the content from here.
![device update](images/windowsembedded-update17.png)
30. To retrieve the DUReport, open an Explorer windows to C:\\Program Files\\SMS\_CCM\\SMS\_DM.log.
31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz" where zzz is the dummy value. Just above this copy the information for UpdateData and use this information to create the DUControlledUpdates.xml.
 

908
windows/client-management/mdm/enterprise-app-management.md Normal file
View File

@ -0,0 +1,908 @@
---
title: Enterprise app management
description: This topic covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 225DEE61-C3E3-4F75-BC79-5068759DFE99
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Enterprise app management
This topic covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows. It is the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps.
## Application management goals
Windows 10 offers the ability for management servers to:
- Install apps directly from the Windows Store for Business
- Deploy offline Store apps and licenses
- Deploy line-of-business (LOB) apps (non-Store apps)
- Inventory all apps for a user (Store and non-Store apps)
- Inventory all apps for a device (Store and non-Store apps)
- Uninstall all apps for a user (Store and non-Store apps)
- Provision apps so they are installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
- Remove the provisioned app on the device running Windows 10 for desktop editions
## Inventory your apps
Windows 10 lets you inventory all apps deployed to a user and all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and does not include traditional Win32 apps installed via MSI or executables. When the apps are inventoried they are separated based on the following app classifications:
- Store - Apps that are from the Windows Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
- nonStore - Apps that were not acquired from the Windows Store.
- System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried.
These classifications are represented as nodes in the EnterpriseModernAppManagement CSP.
The following diagram shows the EnterpriseModernAppManagement CSP in a tree format.
![enterprisemodernappmanagement csp diagram](images/provisioning-csp-enterprisemodernappmanagement.png)
Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System).
Inventory can be performed recursively at any level from the AppManagement node through the package full name. Inventory can also be performed only for a specific inventory attribute.
Inventory is specific to the package full name and lists bundled packs and resources packs as applicable under the package family name.
> **Note**  On Windows 10 Mobile, XAP packages have the product ID in place of both the package family name and package full name.
 
Here are the nodes for each package full name:
- Name
- Version
- Publisher
- Architecture
- InstallLocation
- IsFramework
- IsBundle
- InstallDate
- ResourceID
- RequiresReinstall
- PackageStatus
- Users
- IsProvisioned
For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md).
### App inventory
You can use the EnterpriseModernAppManagement CSP to query for all apps installed for a user or device. The query returns all apps regardless if they were installed via MDM or other methods. Inventory can be performed at the user or device level. Inventory at the device level will return information for all users on the device.
Note that performing a full inventory of a device can be resource intensive on the client based on the hardware and number of apps that are installed. The data returned can also be very large. You may want to chunk these requests to reduce the impact to clients and network traffic.
Here is an example of a query for all apps on the device.
``` syntax
<!-- Get all apps under AppManagement -->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
Here is an example of a query for a specific app for a user.
``` syntax
<!-- Get all information of a specific app for a user -->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
### Store license inventory
You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses regardless if they were installed via MDM or other methods. Inventory can be performed at the user or device level. Inventory at the device level will return information for all users on the device.
Here are the nodes for each license ID:
- LicenseCategory
- LicenseUsage
- RequestedID
For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md).
> **Note**  The LicenseID in the CSP is the content ID for the license.
Here is an example of a query for all app licenses on a device.
``` syntax
<!-- Get all app licenses for the device -->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
Here is an example of a query for all app licenses for a user.
``` syntax
<!-- Get a specific app license for a user -->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id}?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
## Enable the device to install non-Store apps
There are two basic types of apps you can deploy: Store apps and enterprise signed apps. To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment.
### Unlock the device for non-Store apps
To deploy app that are not from the Windows Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device provided that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device or a root certificate in the Trusted Root of the device. The policy is not configured by default, which means only apps from the Windows Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
For more information about the AllowAllTrustedApps policy, see [Policy CSP](policy-configuration-service-provider.md).
Here are some examples.
``` syntax
<!-- Get policy (Default)-->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Result/ApplicationManagement/AllowAllTrustedApps?list=StructData</LocURI>
</Target>
</Item>
</Get>
<!-- Update policy -->
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAllTrustedApps</LocURI>
</Target>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
```
### Unlock the device for developer mode
Development of apps on Windows 10 no longer requires a special license. You can enable debugging and deployment of non-packaged apps using ApplicationManagement/AllowDeveloperUnlock policy in Policy CSP.
AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock is not configured by default, which means only Windows Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
Deployment of apps to Windows 10 for desktop editions requires that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. Deployment to Windows 10 Mobile does not validate whether the non-Store apps have a valid root of trust on the device.
For more information about the AllowDeveloperUnlock policy, see [Policy CSP](policy-configuration-service-provider.md).
Here is an example.
``` syntax
<!-- Get policy (Default)-->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Result/ApplicationManagement/AllowDeveloperUnlock?list=StructData</LocURI>
</Target>
</Item>
</Get>
<!-- Update policy -->
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowDeveloperUnlock</LocURI>
</Target>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
```
## Install your apps
You can install apps to a specific user or to all users of a device. Apps are installed directly from the Windows Store or in some cases from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
### Deploy apps to user from the Store
To deploy an app to a user directly from the Windows Store, the management server performs an Add and Exec commands on the AppInstallation node of the EnterpriseModernAppManagement CSP. This is only supported in the user context and not supported in the device context.
If you purchased an app from the Store for Business and the app is specified for an online license, the app and license must be acquired directly from the Windows Store.
Here are the requirements for this scenario:
- The app is assigned to a user Azure Active Directory (AAD) identity in the Store for Business. You can do this directly in the Store for Business or through a management server.
- The device requires connectivity to the Windows Store.
- Windows Store services must be enabled on the device. Note that the UI for the Windows Store can be disabled by the enterprise admin.
- The user must be signed in with their AAD identity.
Here are some examples.
``` syntax
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/StoreInstall</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
</Meta>
<Data><Application id="{ProductID}" flags="0" skuid=" "/></Data>
</Item>
</Exec>
```
Here are the changes from the previous release:
1. The "{CatID}" reference should be updated to "{ProductID}". This value is acquired as a part of the Store for Business management tool.
2. The value for flags can be "0" or "1"
When using "0" the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1" the management tool does not call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available.
3. The skuid is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync.
### Deploy an offline license to a user
If you purchased an app from the Store for Business, the app license must be deployed to the device.
The app license only needs to be deployed as part of the initial installation of the app. During an update, only the app is deployed to the user.
In the SyncML, you need to specify the following information in the Exec command:
- License ID - This is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business.
- License Content - This is specified in the data section. The License Content is the Base64 encoded blob of the license.
Here is an example of an offline license installation.
``` syntax
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/AddLicense</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
</Meta>
<Data><License Content="{LicenseBlob}"></Data>
</Item>
</Exec>
```
<a href="" id="deploy-from-hosted-loc"></a>
### Deploy apps to a user from a hosted location
If you purchased an app from the Store for Business and the app is specified for an offline license or the app is a non-Store app, the app must be deployed from a hosted location.
Here are the requirements for this scenario:
- The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
- The device does not need to have connectivity to the Windows Store, store services, or the have the Windows Store UI be enabled.
- The user must be logged in, but association with AAD identity is not required.
> **Note**  You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
 
The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
Here is an example of a line-of-business app installation.
``` syntax
<!-- Add PackageFamilyName -->
<Add>
<CmdID>0</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}</LocURI>
</Target>
</Item>
</Add>
<!-- Install appx -->
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
</Meta>
<Data><Application PackageUri="\\server\share\HelloWorld10.appx" /></Data>
</Item>
</Exec>
```
Here is an example of an app installation with dependencies.
``` syntax
<!-- Add PackageFamilyName -->
<Add>
<CmdID>0</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName</LocURI>
</Target>
</Item>
</Add>
<!-- Install appx with deployment options and framework dependencies-->
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
</Meta>
<Data>
<Application PackageUri="\\server\share\HelloWorld10.appx" DeploymentOptions="0" >
<Dependencies>
<Dependency PackageUri=”\\server\share\HelloWorldFramework.appx” />
<Dependency PackageUri=”\\server2\share\HelloMarsFramework.appx” />
</Dependencies>
</Application>
</Data>
</Item>
</Exec>
```
Here is an example of an app installation with dependencies and optional packages.
``` syntax
<!-- Add PackageFamilyName -->
<Add>
<CmdID>0</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName</LocURI>
</Target>
</Item>
</Add>
<!-- Install appx with deployment options and framework dependencies-->
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
</Meta>
<Data>
<Application PackageUri="\\server\share\HelloWorld10.appx" DeploymentOptions="0" >
<Dependencies>
<Dependency PackageUri=”\\server\share\HelloWorldFramework.appx” />
<Dependency PackageUri=”\\server2\share\HelloMarsFramework.appx” />
</Dependencies>
<OptionalPackages>
<Package PackageUri=”\\server\share\OptionalPackage1.appx”
PackageFamilyName="/{PackageFamilyName}" />
<Package PackageUri=”\\server2\share\OptionalPackage2.appx”
PackageFamilyName="/{PackageFamilyName}" />
</OptionalPackages>
</Application>
</Data>
</Item>
</Exec>
```
### Provision apps for all users of a device
Provisioning allows you to stage the app to the device and all users of the device can have the app registered on their next login. This is only supported for app purchased from the Store for Business and the app is specified for an offline license or the app is a non-Store app. The app must be offered from a hosted location. The app is installed as a local system. To install to a local file share, the 'local system' of the device must have access to the share.
Here are the requirements for this scenario:
- The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
- The device does not need to have connectivity to the Windows Store, or store services enabled.
- The device does not need any AAD identity or domain membership.
- For nonStore app, your device must be unlocked.
- For Store offline apps, the required licenses must be deployed prior to deploying the apps.
To provision app for all users of a device from a hosted location, the management server performs an Add and Exec command on the AppInstallation node in the device context. The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
> **Note**  When you remove the provisioned app, it will not remove it from the users that already installed the app.
 
Here is an example of app installation.
> **Note**  This is only supported in Windows 10 for desktop editions.
``` syntax
<!-- Add PackageFamilyName -->
<Add>
<CmdID>0</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName</LocURI>
</Target>
</Item>
</Add>
<!-- Provision appx to device -->
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
</Meta>
<Data><Application PackageUri="\\server\share\HelloWorld10.appx" /></Data>
</Item>
</Exec>
```
The HostedInstall Exec command contains a Data node that requires an embedded XML. Here are the requirements for the data XML:
- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPs location.
- Dependencies can be specified if required to be installed with the package. This is optional.
The DeploymentOptions parameter is only available in the user context.
Here is an example of app installation with dependencies.
> **Note**  This is only supported in Windows 10 for desktop editions.
``` syntax
<!-- Add PackageFamilyName -->
<Add>
<CmdID>0</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName</LocURI>
</Target>
</Item>
</Add>
<!-- Provision appx with framework dependencies-->
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
</Meta>
<Data>
<Application PackageUri="\\server\share\HelloWorld10.appx" />
<Dependencies>
<Dependency PackageUri=”\\server\share\HelloWorldFramework.appx” />
<Dependency PackageUri="\\server2\share\HelloMarsFramework.appx"/>
</Dependencies>
</Application>
</Data>
</Item>
</Exec>
```
### Get status of app installations
When an app installation is completed, a Windows notification is sent. You can also query the status of using the AppInstallation node. Here is the list of information you can get back in the query:
- Status - indicates the status of app installation.
- NOT\_INSTALLED (0) - The node was added, but the execution was not completed.
- INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of suceess this value is updated.
- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up actio has not completed, this state may briefly appear.
- LastError - This is the last error reported by the app deployment server.
- LastErrorDescription - Describes the last error reported by the app deployment server.
- Status - This is an integer that indicates the progress of the app installation. In cases of an https location, this shows the estimated download progress.
Status is not available for provisioning and only used for user-based installations. For provisioning, the value is always 0.
When an app is installed successfully, the node is cleaned up and no longer present. The status of the app can be reported under the AppManagement node.
Here is an example of a query for a specific app installation.
``` syntax
<!-- Get all app status under AppInstallation for a specific app-->
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
Here is an example of a query for all app installations.
``` syntax
<!-- Get all app status under AppInstallation-->
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
### Alert for installation completion
Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
Here is an example of an alert.
``` syntax
<Alert>
<CmdID>4</CmdID>
<Data>1226</Data>
<Item>
<Source>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall</LocURI>
</Source>
<Meta>
<Type xmlns="syncml:metinf">Reversed-Domain-Name:com.microsoft.mdm.EnterpriseHostedAppInstall.result</Type>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Alert>
```
For user-based installation, use the ./User path and for provisioning of apps, use the ./Device path.
The Data field value of 0 (zero) indicates sucess, otherwise it is an error code. If there is a failure, you can get more details from the AppInstallation node.
> **Note**  At this time, the alert for Store app installation is not yet available.
## Uninstall your apps
You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes:
- AppStore - These apps are for the Windows Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business.
- nonStore - These apps that were not acquired from the Windows Store.
- System - These apps are part of the OS. You cannot uninstall these apps.
To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family nane and package full name.
Here is an example for uninstalling all versions of an app for a user.
``` syntax
<!-- Uninstall App for a Package Family-->
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}</LocURI>
</Target>
</Item>
</Delete>
```
Here is an example for uninstalling a specific version of the app for a user.
``` syntax
<!-- Uninstall App for a specific package full name-->
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}</LocURI>
</Target>
</Item>
</Delete>
```
### Removed provisioned apps from a device
You can remove provisioned apps from a device for a specific version or for all versions of a package family. When a provisioned app is removed, it is not available to future users for the device. Logged in users who has the app registered to them will continue to have access to the app. If you want to removed the app for those users, you must explicitly uninstall the app for those users.
> **Note**  You can only remove an app that has an inventory value IsProvisioned = 1.
 
Removing provisioned app occurs in the device context.
Here is an example for removing a provisioned app from a device.
``` syntax
<!— Remove Provisioned App for a Package Family-->
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}</LocURI>
</Target>
</Item>
</Delete>
```
Here is an example for removing a specific version of a provisioned app from a device:
``` syntax
<!-- Remove Provisioned App for a specific package full name-->
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}</LocURI>
</Target>
</Item>
</Delete>
```
### Remove a store app license
You can remove app licenses from a device per app based on the content ID.
Here is an example for removing an app license for a user.
``` syntax
<!-- Remove App License for a User-->
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id}</LocURI>
</Target>
</Item>
</Delete>
```
Here is an example for removing an app license for a provisioned package (device context).
``` syntax
<!-- Remove App License for a provisioned package (device) -->
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id}</LocURI>
</Target>
</Item>
</Delete>
```
### Alert for app uninstallation
Uninstallation of an app can take some time complete, hence the uninstallation is performed asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
For user-based uninstallation, use ./User in the LocURI, and for provisioning, use ./Device in the LocURI.
Here is an example. There is only one uninstall for hosted and store apps.
``` syntax
<Alert>
<Data>1226</Data>
<Item>
<Source>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/{PackageFamilyName}</LocURI>
</Source>
<Meta>
<Type xmlns="syncml:metinf">Reversed-Domain-Name:com.microsoft.mdm.EnterpriseAppUninstall.result</Type>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Alert>
```
## Update your apps
Apps installed on a device can be updated using the management server. Apps can be updated directly from the store or installed from a hosted location.
### Update apps directly from the store
To update an app from Windows Store, the device requires contact with the store services.
Here is an example of an update scan.
``` syntax
<!— Initiate a update scan for a user-->
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/UpdateScan</LocURI>
</Target>
</Item>
</Exec>
```
Here is an example of a status check.
``` syntax
<!— Get last error related to the update scan-->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/LastScanError</LocURI>
</Target>
</Item>
</Get>
```
### Update apps from a hosted location
Updating an existing app follows the same process as an initial installation. For more information, see [Deploy apps to a user from a hosted location](#deploy-apps-to-a-user-from-a-hosted-location).
### Update provisioned apps
A provisioned app automatically updates when an app update is sent to the user. You can also update a provisioned app using the same process as an initial provisioning. For more information about initial provisioning, see [Provision apps for all users of a device](#provision-apps-for-all-users-of-a-device).
### Prevent app from automatic updates
You can prevent specific apps from being automatically updated. This allows you to turn on auto-updates for apps, with specific apps excluded as defined by the IT admin.
Turning off updates only applies to updates from the Windows Store at the device level. This feature is not available at a user level. You can still update an app if the offline packages is pushed from hosted install location.
Here is an example.
``` syntax
<!— Prevent app from being automatically updated-->
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/DoNotUpdate</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>1</Data></Item>
</Replace>
```
## Additional app management scenarios
The following subsections provide information about additional settings configurations.
### Restrict app installation to the system volume
You can install app on non-system volumes, such as a secondary partition or removable media (USB or SD cards). Using the RestrictApptoSystemVolume policy, you can prevent apps from getting installed or moved to non-system volumes. For more information about this policy, see [Policy CSP](policy-configuration-service-provider.md).
> **Note**  This is only supported in mobile devices.
Here is an example.
``` syntax
<!-- Get policy (Default)-->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Result/ApplicationManagement/RestrictAppToSystemVolume?list=StructData</LocURI>
</Target>
</Item>
</Get>
<!-- Update policy -->
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppToSystemVolume</LocURI>
</Target>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
```
### Restrict AppData to the system volume
In Windows 10 Mobile IT administrators can set a policy to restrict user application data for a Windows Store app to the system volume, regardless of where the package is installed or moved.
> **Note**  The feature is only for Windows 10 Mobile.
 
The RestrictAppDataToSystemVolume policy in [Policy CSP](policy-configuration-service-provider.md) enables you to restrict all user application data to stay on the system volume. When the policy is not configured or if it is disabled, and you move a package or when it is installed to a difference volume, then the user application data will moved to the same volume. You can set this policy to 0 (off, default) or 1.
Here is an example.
``` syntax
<!-- Get policy (Default)-->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Result/ApplicationManagement/RestrictAppDataToSystemVolume?list=StructData</LocURI>
</Target>
</Item>
</Get>
<!-- Update policy -->
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppDataToSystemVolume</LocURI>
</Target>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
```
### Enable shared user app data
The Universal Windows app has the ability to share application data between the users of the device. The ability to share data can be set at a package family level or per device.
> **Note**  This is only applicable to multi-user devices.
The AllowSharedUserAppData policy in [Policy CSP](policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API.
If you disable this policy, applications cannot share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there is any shared data, and /Remove-SharedAppxData to remove it).
The valid values are 0 (off, default value) and 1 (on).
Here is an example.
``` syntax
<!-- Get policy (Default)-->
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Result/ApplicationManagement/AllowSharedUserAppData?list=StructData</LocURI>
</Target>
</Item>
</Get>
<!-- Update policy -->
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowSharedUserAppData</LocURI>
</Target>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Replace>
```
 

146
windows/client-management/mdm/enterpriseapn-csp.md Normal file
View File

@ -0,0 +1,146 @@
---
title: EnterpriseAPN CSP
description: The EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: E125F6A5-EE44-41B1-A8CC-DF295082E6B2
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseAPN CSP
The EnterpriseAPN configuration service provider (CSP) is used by the enterprise to provision an APN for the Internet.
> [!Note]
Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
The following image shows the EnterpriseAPN configuration service provider in tree format.
![enterpriseapn csp](images/provisioning-csp-enterpriseapn-rs1.png)
<a href="" id="enterpriseapn"></a>**EnterpriseAPN**
<p style="margin-left: 20px">The root node for the EnterpriseAPN configuration service provider.</p>
<a href="" id="enterpriseapn-connectionname"></a>**EnterpriseAPN/****_ConnectionName_**
<p style="margin-left: 20px">Name of the connection as seen by Windows Connection Manager.</p>
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="enterpriseapn-connectionname-apnname"></a>**EnterpriseAPN/*ConnectionName*/APNName**
<p style="margin-left: 20px">Enterprise APN name.</p>
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="enterpriseapn-connectionname-iptype"></a>**EnterpriseAPN/*ConnectionName*/IPType**
<p style="margin-left: 20px">This value can be one of the following:</p>
- IPv4 - only IPV4 connection type
- IPv6 - only IPv6 connection type
- IPv4v6 (default)- IPv4 and IPv6 concurrently.
- IPv4v6xlat - IPv6 with IPv4 provided by 46xlat
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="enterpriseapn-connectionname-isattachapn"></a>**EnterpriseAPN/*ConnectionName*/IsAttachAPN**
<p style="margin-left: 20px">Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.</p>
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="enterpriseapn-connectionname-classid"></a>**EnterpriseAPN/*ConnectionName*/ClassId**
<p style="margin-left: 20px">GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM\_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.</p>
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="enterpriseapn-connectionname-authtype"></a>**EnterpriseAPN/*ConnectionName*/AuthType**
<p style="margin-left: 20px">Authentication type. This value can be one of the following:</p>
- None (default)
- Auto
- PAP
- CHAP
- MSCHAPv2
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="enterpriseapn-connectionname-username"></a>**EnterpriseAPN/*ConnectionName*/UserName**
<p style="margin-left: 20px">User name for use with PAP, CHAP, or MSCHAPv2 authentication.</p>
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="enterpriseapn-connectionname-password"></a>**EnterpriseAPN/*ConnectionName*/Password**
<p style="margin-left: 20px">Password corresponding to the username.</p>
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="enterpriseapn-connectionname-iccid"></a>**EnterpriseAPN/*ConnectionName*/IccId**
<p style="margin-left: 20px">Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node is not present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.</p>
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="enterpriseapn-connectionname-alwayson"></a>**EnterpriseAPN/*ConnectionName*/AlwaysOn**
<p style="margin-left: 20px">Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.</p>
<p style="margin-left: 20px">The default value is true.</p>
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="enterpriseapn-connectionname-enabled"></a>**EnterpriseAPN/*ConnectionName*/Enabled**
<p style="margin-left: 20px">Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.</p>
<p style="margin-left: 20px">The default value is true.</p>
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="enterpriseapn-connectionname-roaming"></a>**EnterpriseAPN/*ConnectionName*/Roaming**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:</p>
<ul>
<li>0 - Disallowed</li>
<li>1 - Allowed</li>
<li>2 - DomesticRoaming</li>
<li>3 - UseOnlyForDomesticRoaming</li>
<li>4 - UseOnlyForNonDomesticRoaming</li>
<li>5 - UseOnlyForRoaming</li>
</ul>
<p style="margin-left: 20px">Default is 1 (all roaming allowed).</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="enterpriseapn-settings"></a>**EnterpriseAPN/Settings**
<p style="margin-left: 20px">Added in Windows 10, version 1607. Node that contains global settings.</p>
<a href="" id="enterpriseapn-settings-allowusercontrol"></a>**EnterpriseAPN/Settings/AllowUserControl**
<p style="margin-left: 20px">Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.</p>
<p style="margin-left: 20px">The default value is false.</p>
<p style="margin-left: 20px">Supported operations are Get and Replace.</p>
<a href="" id="enterpriseapn-settings-hideview"></a>**EnterpriseAPN/Settings/HideView**
<p style="margin-left: 20px">Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.</p>
<p style="margin-left: 20px">The default value is false.</p>
<p style="margin-left: 20px">Supported operations are Get and Replace.</p>
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

1213
windows/client-management/mdm/enterpriseapn-ddf.md Normal file
View File

File diff suppressed because it is too large Load Diff

546
windows/client-management/mdm/enterpriseappmanagement-csp.md Normal file
View File

@ -0,0 +1,546 @@
---
title: EnterpriseAppManagement CSP
description: EnterpriseAppManagement CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 698b8bf4-652e-474b-97e4-381031357623
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseAppManagement CSP
The EnterpriseAppManagement enterprise configuration service provider is used to handle enterprise application management tasks such as installing an enterprise application token, the first auto-downloadable app link, querying installed enterprise applications (name and version), auto updating already installed enterprise applications, and removing all installed enterprise apps (including the enterprise app token) during unenrollment.
> **Note**   The EnterpriseAppManagement CSP is only supported in Windows 10 Mobile.
 
The following diagram shows the EnterpriseAppManagement configuration service provider in tree format.
![enterpriseappmanagement csp](images/provisioning-csp-enterpriseappmanagement.png)
<a href="" id="enterpriseid"></a>***EnterpriseID***
Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications.
Supported operations are Add, Delete, and Get.
<a href="" id="enterpriseid-enrollmenttoken"></a>***EnterpriseID*/EnrollmentToken**
Required. Used to install or update the binary representation of the application enrollment token (AET) and initiate "phone home" token validation. Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="enterpriseid-storeproductid"></a>***EnterpriseID*/StoreProductID**
Required. The node to host the ProductId node. Scope is dynamic.
Supported operation is Get.
<a href="" id="-storeproductid-productid"></a>**/StoreProductID/ProductId**
The character string that contains the ID of the first enterprise application (usually a Company Hub app), which is automatically installed on the device. Scope is dynamic.
Supported operations are Get and Add.
<a href="" id="enterpriseid-storeuri"></a>***EnterpriseID*/StoreUri**
Optional. The character string that contains the URI of the first enterprise application to be installed on the device. The enrollment client downloads and installs the application from this URI. Scope is dynamic.
Supported operations are Get and Add.
<a href="" id="enterpriseid-certificatesearchcriteria"></a>***EnterpriseID*/CertificateSearchCriteria**
Optional. The character string that contains the search criteria to search for the DM-enrolled client certificate. The certificate is used for client authentication during enterprise application download. The company's application content server should use the enterprise-enrolled client certificate to authenticate the device. The value must be a URL encoded representation of the X.500 distinguished name of the client certificates Subject property. The X.500 name must conform to the format required by the [CertStrToName](http://go.microsoft.com/fwlink/p/?LinkId=523869) function. This search parameter is case sensitive. Scope is dynamic.
Supported operations are Get and Add.
> **Note**   Do NOT use Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00. The server must replace this value in the supplied client certificate. If your server returns a client certificate containing the same Subject value, this can cause unexpected behavior. The server should always override the subject value and not use the default device-provided Device ID Subject= Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00
 
<a href="" id="enterpriseid-status"></a>***EnterpriseID*/Status**
Required. The integer value that indicates the current status of the application enrollment. Valid values are 0 (ENABLED), 1 (INSTALL\_DISABLED), 2 (REVOKED), and 3 (INVALID). Scope is dynamic.
Supported operation is Get.
<a href="" id="enterpriseid-crlcheck"></a>***EnterpriseID*/CRLCheck**
Optional. Character value that specifies whether the device should do a CRL check when using a certificate to authenticate the server. Valid values are "1" (CRL check required), "0" (CRL check not required). Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="enterpriseid-enterpriseapps"></a>***EnterpriseID*/EnterpriseApps**
Required. The root node to for individual enterprise application related settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider).
Supported operation is Get.
<a href="" id="-enterpriseapps-inventory"></a>**/EnterpriseApps/Inventory**
Required. The root node for individual enterprise application inventory settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider).
Supported operation is Get.
<a href="" id="-inventory-productid"></a>**/Inventory/****_ProductID_**
Optional. A node that contains s single enterprise application product ID in GUID format. Scope is dynamic.
Supported operation is Get.
<a href="" id="-inventory-productid-version"></a>**/Inventory/*ProductID*/Version**
Required. The character string that contains the current version of the installed enterprise application. Scope is dynamic.
Supported operation is Get.
<a href="" id="-inventory-productid-title"></a>**/Inventory/*ProductID*/Title**
Required. The character string that contains the name of the installed enterprise application. Scope is dynamic.
Supported operation is Get.
<a href="" id="-inventory-productid-publisher"></a>**/Inventory/*ProductID*/Publisher**
Required. The character string that contains the name of the publisher of the installed enterprise application. Scope is dynamic.
Supported operation is Get.
<a href="" id="-inventory-productid-installdate"></a>**/Inventory/*ProductID*/InstallDate**
Required. The time (in the character format YYYY-MM-DD-HH:MM:SS) that the application was installed or updated. Scope is dynamic.
Supported operation is Get.
<a href="" id="-enterpriseapps-download"></a>**/EnterpriseApps/Download**
Required. This node groups application download-related parameters. The enterprise server can only automatically update currently installed enterprise applications. The end user controls which enterprise applications to download and install. Scope is dynamic.
Supported operation is Get.
<a href="" id="-download-productid"></a>**/Download/****_ProductID_**
Optional. This node contains the GUID for the installed enterprise application. Each installed application has a unique ID. Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="-download-productid-version"></a>**/Download/*ProductID*/Version**
Optional. The character string that contains version information (set by the caller) for the application currently being downloaded. Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="-download-productid-name"></a>**/Download/*ProductID*/Name**
Required. The character string that contains the name of the installed application. Scope is dynamic.
Supported operation is Get.
<a href="" id="-download-productid-url"></a>**/Download/*ProductID*/URL**
Optional. The character string that contains the URL for the updated version of the installed application. The device will download application updates from this link. Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="-download-productid-status"></a>**/Download/*ProductID*/Status**
Required. The integer value that indicates the status of the current download process. The following table shows the possible values.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td><p>0: CONFIRM</p></td>
<td><p>Waiting for confirmation from user.</p></td>
</tr>
<tr class="even">
<td><p>1: QUEUED</p></td>
<td><p>Waiting for download to start.</p></td>
</tr>
<tr class="odd">
<td><p>2: DOWNLOADING</p></td>
<td><p>In the process of downloading.</p></td>
</tr>
<tr class="even">
<td><p>3: DOWNLOADED</p></td>
<td><p>Waiting for installation to start.</p></td>
</tr>
<tr class="odd">
<td><p>4: INSTALLING</p></td>
<td><p>Handed off for installation.</p></td>
</tr>
<tr class="even">
<td><p>5: INSTALLED</p></td>
<td><p>Successfully installed</p></td>
</tr>
<tr class="odd">
<td><p>6: FAILED</p></td>
<td><p>Application was rejected (not signed properly, bad XAP format, not enrolled properly, etc.)</p></td>
</tr>
<tr class="even">
<td><p>7:DOWNLOAD_FAILED</p></td>
<td><p>Unable to connect to server, file doesn't exist, etc.</p></td>
</tr>
</tbody>
</table>
 
Scope is dynamic. Supported operations are Get, Add, and Replace.
<a href="" id="-download-productid-lasterror"></a>**/Download/*ProductID*/LastError**
Required. The integer value that indicates the HRESULT of the last error code. If there are no errors, the value is 0 (S\_OK). Scope is dynamic.
Supported operation is Get.
<a href="" id="-download-productid-lasterrordesc"></a>**/Download/*ProductID*/LastErrorDesc**
Required. The character string that contains the human readable description of the last error code.
<a href="" id="-download-productid-downloadinstall"></a>**/Download/*ProductID*/DownloadInstall**
Required. The node to allow the server to trigger the download and installation for an updated version of the user installed application. The format for this node is null. The server must query the device later to determine the status. For each product ID, the status field is retained for up to one week. Scope is dynamic.
Supported operation is Exec.
## Remarks
### Install and Update Line of Business (LOB) applications
A workplace can automatically install and update Line of Business applications during a management session. Line of Business applications support a variety of file types including XAP (8.0 and 8.1), AppX, and AppXBundles. A workplace can also update applications from XAP file formats to Appx and AppxBundle formats through the same channel. For more information, see the Examples section.
### Uninstall Line of Business (LOB) applications
A workplace can also remotely uninstall Line of Business applications on the device. It is not possible to use this mechanism to uninstall Store applications on the device or Line of Business applications that are not installed by the enrolled workplace (for side-loaded application scenarios). For more information, see the Examples section
### Query installed Store application
You can determine if a Store application is installed on a system. First, you need the Store application GUID. You can get the Store application GUID by going to the URL for the Store application.
The Microsoft Store application has a GUID of d5dc1ebb-a7f1-df11-9264-00237de2db9e.
Use the following SyncML format to query to see if the application is installed on a managed device:
``` syntax
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7B D5DC1EBB-A7F1-DF11-9264-00237DE2DB9E%7D</LocURI>
</Target>
</Item>
</Get>
```
Response from the device (it contains list of subnodes if this app is installed in the device).
``` syntax
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7B D5DC1EBB-A7F1-DF11-9264-00237DE2DB9E%7D</LocURI>
</Source>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
<Type xmlns="syncml:metinf"></Type>
</Meta>
<Data>Version/Title/Publisher/InstallDate</Data>
</Item>
</Results>
```
### Node Values
All node values under the ProviderID interior node represent the policy values that the management server wants to set.
- An Add or Replace command on those nodes returns success in both of the following cases:
- The value is actually applied to the device.
- The value isnt applied to the device because the device has a more secure value set already.
From a security perspective, the device complies with the policy request that is at least as secure as the one requested.
- A Get command on those nodes returns the value that the server pushes down to the device.
- If a Replace command fails, the node value is set to be the previous value before Replace command was applied.
- If an Add command fails, the node is not created.
The value actually applied to the device can be queried via the nodes under the DeviceValue interior node.
## OMA DM examples
Enroll enterprise ID “4000000001” for the first time:
``` syntax
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnrollmentToken</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>InsertTokenHere</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAppManagement/4000000001/CertificateSearchCriteria
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>SearchCriteriaInsertedHere</Data>
</Item>
</Add>
```
Update the enrollment token (for example, to update an expired application enrollment token):
``` syntax
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnrollmentToken</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>InsertUpdaedTokenHere</Data>
</Item>
</Replace>
```
Query all installed applications that belong to enterprise id “4000000001”:
``` syntax
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory?list=StructData
</LocURI>
</Target>
</Item>
</Get>
```
Response from the device (that contains two installed applications):
``` syntax
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory
</LocURI>
</Source>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
<Type xmlns="syncml:metinf"></Type>
</Meta>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D
</LocURI>
</Source>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
<Type xmlns="syncml:metinf"></Type>
</Meta>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D
</LocURI>
</Source>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
<Type xmlns="syncml:metinf"></Type>
</Meta>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Version
</LocURI>
</Source>
<Data>1.0.0.0</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Title
</LocURI>
</Source>
<Data>Sample1</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Publisher
</LocURI>
</Source>
<Data>ExamplePublisher</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/InstallDate
</LocURI>
</Source>
<Data>2012-10-30T21:09:52Z</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Version
</LocURI>
</Source>
<Data>1.0.0.0</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Title
</LocURI>
</Source>
<Data>Sample2</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Publisher
</LocURI>
</Source>
<Data>Contoso</Data>
</Item>
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/InstallDate
</LocURI>
</Source>
<Data>2012-10-31T21:23:31Z</Data>
</Item>
</Results>
```
## Install and update an enterprise application
Install or update the installed app with the product ID “{B316008A-141D-4A79-810F-8B764C4CFDFB}”.
To perform an XAP update, create the Name, URL, Version, and DownloadInstall nodes first, then perform an “execute” on the “DownloadInstall” node (all within an “Atomic” operation). If the application does not exist, the application will be silently installed without any user interaction. If the application cannot be installed, the user will be notified with an Alert dialog.
> **Note**  
1. If a previous app-update node existed for this product ID (the node can persist for up to 1 week or 7 days after an installation has completed), then a 418 (already exist) error would be returned on the “Add”. To get around the 418 error, the server should issue a Replace command for the Name, URL, and Version nodes, and then execute on the “DownloadInstall” (within an “Atomic” operation).
2. The application product ID curly braces need to be escaped where { is %7B and } is %7D.
 
``` syntax
<Atomic>
<CmdID>2</CmdID>
<!-- The Add command can be used if the download node does not have a matching product ID
node in it or if the application was installer 7 or more days old. Otherwise, use the Replace command. -->
<Add>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/Name
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>ContosoApp1</Data>
</Item>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/URL
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>http://contoso.com/enterpriseapps/ContosoApp1.xap</Data>
</Item>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/Version</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>2.0.0.0</Data>
</Item>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/DownloadInstall
</LocURI>
</Target>
<Data>1</Data>
</Item>
</Add>
<Exec>
<CmdID>4</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/DownloadInstall
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Exec>
</Atomic>
```
## Uninstall enterprise application
Uninstall an installed enterprise application with product ID “{7BB316008A-141D-4A79-810F-8B764C4CFDFB }”:
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

135
windows/client-management/mdm/enterpriseappvmanagement-csp.md Normal file
View File

@ -0,0 +1,135 @@
---
title: EnterpriseAppVManagement CSP
description: EnterpriseAppVManagement CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseAppVManagement CSP
The EnterpriseAppVManagement configuration service provider (CSP) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions). This CSP was added in Windows 10, version 1703.
The following diagram shows the EnterpriseAppVManagement configuration service provider in tree format.
![enterpriseappvmanagement csp](images/provisioning-csp-enterpriseappvmanagement.png)
**./Vendor/MSFT/EnterpriseAppVManagement**
<p style="margin-left: 20px">Root node for the EnterpriseAppVManagement configuration service provider.</p>
**AppVPackageManagement**
<p style="margin-left: 20px">Used to query App-V package information (post-publish).</p>
**AppVPackageManagement/EnterpriseID**
<p style="margin-left: 20px">Used to query package information. Value is always "HostedInstall".</p>
**AppVPackageManagement/EnterpriseID/PackageFamilyName**
<p style="margin-left: 20px">Package ID of the published App-V package.</p>
**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_**
<p style="margin-left: 20px">Version ID of the published App-V package.</p>
**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/Name**
<p style="margin-left: 20px">Name specified in the published AppV package.</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/Version**
<p style="margin-left: 20px">Version specified in the published AppV package.</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/Publisher**
<p style="margin-left: 20px">Publisher as specified in the published asset information of the AppV package.</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/InstallLocation**
<p style="margin-left: 20px">Local package path specified in the published asset information of the AppV package.</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/InstallDate**
<p style="margin-left: 20px">Date the app was installed, as specified in the published asset information of the AppV package.</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/Users**
<p style="margin-left: 20px">Registered users for app, as specified in the published asset information of the AppV package.</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/AppVPackageId**
<p style="margin-left: 20px"> Package ID of the published App-V package.</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/AppVVersionId**
<p style="margin-left: 20px">Version ID of the published App-V package.</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/AppVPackageUri**
<p style="margin-left: 20px">Package URI of the published App-V package.</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
**AppVPublishing**
<p style="margin-left: 20px">Used to monitor publishing operations on App-V.</p>
**AppVPublishing/LastSync**
<p style="margin-left: 20px">Used to monitor publishing status of last sync operation.</p>
**AppVPublishing/LastSync/LastError**
<p style="margin-left: 20px">Error code and error description of last sync operation.</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
**AppVPublishing/LastSync/LastErrorDescription**
<p style="margin-left: 20px">Last sync error status. One of the following values may be returned:</p>
- SYNC\_ERR_NONE (0) - No errors during publish.
- SYNC\_ERR\_UNPUBLISH_GROUPS (1) - Unpublish groups failed during publish.
- SYNC\_ERR\_PUBLISH\_NONGROUP_PACKAGES (2) - Publish no-group packages failed during publish.
- SYNC\_ERR\_PUBLISH\_GROUP_PACKAGES (3) - Publish group packages failed during publish.
- SYNC\_ERR\_UNPUBLISH_PACKAGES (4) - Unpublish packages failed during publish.
- SYNC\_ERR\_NEW_POLICY_WRITE (5) - New policy write failed during publish.
- SYNC\_ERR\_MULTIPLE\_DURING_PUBLISH (6) - Multiple non-fatal errors occured during publish.
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
**AppVPublishing/LastSync/SyncStatusDescription**
<p style="margin-left: 20px">Latest sync in-progress stage. One of the following values may be returned:</p>
- SYNC\_PROGRESS_IDLE (0) - App-V publishing is idle.
- SYNC\_PROGRESS\_UNPUBLISH_GROUPS (1) - App-V connection groups publish in progress.
- SYN\_PROGRESS\_PUBLISH\_NONGROUP_PACKAGES (2) - App-V packages (non connection group) publish in progress.
- SYNC\_PROGRESS\_PUBLISH\_GROUP_PACKAGES (3) - App-V packages (connection group) publish in progress.
- SYN\C_PROGRESS_UNPUBLISH_PACKAGES (4) - App-V packages unpublish in progress.
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
**AppVPublishing/LastSync/SyncProgress**
<p style="margin-left: 20px">Latest sync state. One of the following values may be returned:</p>
- SYNC\_STATUS_IDLE (0) - App-V Sync is idle.
- SYNC\_STATUS\_PUBLISH_STARTED (1) - App-V Sync is initializing.
- SYNC\_STATUS\_PUBLISH\_IN_PROGRESS (2) - App-V Sync is in progress.
- SYNC\_STATUS\_PUBLISH\_COMPLETED (3) - App-V Sync is complete.
- SYNC\_STATUS\_PUBLISH\_REBOOT_REQUIRED (4) - App-V Sync requires device reboot.
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
**AppVPublishing/Sync**
<p style="margin-left: 20px">Used to perform App-V synchronization.</p>
**AppVPublishing/Sync/PublishXML**
<p style="margin-left: 20px">Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [[MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol](https://msdn.microsoft.com/en-us/library/mt739986.aspx).</p>
<p style="margin-left: 20px">Supported operations are Get, Delete, and Execute.</p>
**AppVDynamicPolicy**
<p style="margin-left: 20px">Used to set App-V Policy Configuration documents for publishing packages.</p>
**AppVDynamicPolicy/_ConfigurationId_**
<p style="margin-left: 20px">ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).</p>
**AppVDynamicPolicy/_ConfigurationId_/Policy**
<p style="margin-left: 20px">XML for App-V Policy Configuration documents for publishing packages.</p>
<p style="margin-left: 20px">Value type is xml. Supported operations are Add, Get, Delete, and Replace.</p>

593
windows/client-management/mdm/enterpriseappvmanagement-ddf.md Normal file
View File

@ -0,0 +1,593 @@
---
title: EnterpriseAppVManagement DDF file
description: EnterpriseAppVManagement DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseAppVManagement DDF file
This topic shows the OMA DM device description framework (DDF) for the **EnterpriseAppVManagement** configuration service provider.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>EnterpriseAppVManagement</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Used for inventory and App-V management.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>AppVPackageManagement</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Used to query App-V package information (post-publish).</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Used to query package information. Value is always 'HostedInstall'.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<OneOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>EnterpriseID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Package ID of the published App-V package.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>PackageFamilyName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Version ID of the published App-V package.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>PackageFullName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Name</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Name specified in the published AppV package.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Version</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Version specified in the published AppV package.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Publisher</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Publisher specified in the published AppV package's asset information.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>InstallLocation</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Local package path specified in the published AppV package's asset information.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>InstallDate</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Date the app was installed, as specified in the published AppV package's asset information.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Users</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Registered users for app, as specified in the published AppV package's asset information.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AppVPackageId</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Package ID of the published App-V package.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AppVVersionId</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Version ID of the published App-V package.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AppVPackageUri</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Package URI of the published App-V package.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>AppVPublishing</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Used to monitor publishing operations on App-V.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>LastSync</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Used to monitor publishing status of last Sync operation.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>LastError</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Error code and error description of last Sync operation.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LastErrorDescription</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Last Sync error status. One of the following values may be returned:
SYNC_ERR_NONE (0) - No errors during publish.
SYNC_ERR_UNPUBLISH_GROUPS (1) - Unpublish groups failed during publish.
SYNC_ERR_PUBLISH_NONGROUP_PACKAGES (2) - Publish no-group packages failed during publish.
SYNC_ERR_PUBLISH_GROUP_PACKAGES (3) - Publish group packages failed during publish.
SYNC_ERR_UNPUBLISH_PACKAGES (4) - Unpublish packages failed during publish.
SYNC_ERR_NEW_POLICY_WRITE (5) - New policy write failed during publish.
SYNC_ERR_MULTIPLE_DURING_PUBLISH (6) - Multiple non-fatal errors occured during publish.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SyncStatusDescription</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Latest Sync in-progress stage. One of the following values may be returned:
SYNC_PROGRESS_IDLE (0) - App-V publishing is idle.
SYNC_PROGRESS_UNPUBLISH_GROUPS (1) - App-V connection groups publish in progress.
SYNC_PROGRESS_PUBLISH_NONGROUP_PACKAGES (2) - App-V packages (non connection group) publish in progress.
SYNC_PROGRESS_PUBLISH_GROUP_PACKAGES (3) - App-V packages (connection group) publish in progress.
SYNC_PROGRESS_UNPUBLISH_PACKAGES (4) - App-V packages unpublish in progress.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SyncProgress</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Latest Sync state. One of the following values may be returned:
SYNC_STATUS_IDLE (0) - App-V Sync is idle.
SYNC_STATUS_PUBLISH_STARTED (1) - App-V Sync is initializing.
SYNC_STATUS_PUBLISH_IN_PROGRESS (2) - App-V Sync is in progress.
SYNC_STATUS_PUBLISH_COMPLETED (3) - App-V Sync is complete.
SYNC_STATUS_PUBLISH_REBOOT_REQUIRED (4) - App-V Sync requires device reboot.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Sync</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Used to perform App-V synchronization.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>PublishXML</NodeName>
<DFProperties>
<AccessType>
<Delete />
<Get />
<Exec />
</AccessType>
<Description>Used to execute the App-V synchronization using the Publishing protocol.</Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>AppVDynamicPolicy</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Used to set App-V Policy Configuration documents for publishing packages.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<Description>ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ConfigurationId</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>XML for App-V Policy Configuration documents for publishing packages.</Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```

1676
windows/client-management/mdm/enterpriseassignedaccess-csp.md Normal file
View File

File diff suppressed because it is too large Load Diff

328
windows/client-management/mdm/enterpriseassignedaccess-ddf.md Normal file
View File

@ -0,0 +1,328 @@
---
title: EnterpriseAssignedAccess DDF
description: EnterpriseAssignedAccess DDF
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 8BD6FB05-E643-4695-99A2-633995884B37
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseAssignedAccess DDF
This topic shows the OMA DM device description framework (DDF) for the **EnterpriseAssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>EnterpriseAssignedAccess</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.1/MDM/EnterpriseAssignedAccess</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>AssignedAccess</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>AssignedAccessXml</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>LockScreenWallpaper</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>BGFileName</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Theme</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ThemeBackground</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ThemeAccentColorID</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ThemeAccentColorValue</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Clock</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>TimeZone</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Locale</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Language</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
 
 

270
windows/client-management/mdm/enterpriseassignedaccess-xsd.md Normal file
View File

@ -0,0 +1,270 @@
---
title: EnterpriseAssignedAccess XSD
description: EnterpriseAssignedAccess XSD
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: BB3B633E-E361-4B95-9D4A-CE6E08D67ADA
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseAssignedAccess XSD
This XSD can be used to validate that the lockdown XML in the &lt;Data&gt; block of the AssignedAccessXML node.
``` syntax
<?xml version="1.0" encoding="utf-16LE" ?>
<!--
In-memory format is Little Endian and
hence the encoding of this file has to be little endian
to be in the native format. Make sure that this file's
encoding is Unicode-16 LE (Unicode Codepage 1200)
-->
<xs:schema
xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified"
>
<!-- COMPLEX TYPE: ROLE LIST TYPE -->
<xs:complexType name="role_list_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Role" type="role_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: START SCREEN SIZE TYPE -->
<xs:simpleType name="startscreen_size_t">
<xs:restriction base="xs:string">
<!-- Small: 4 columns-->
<xs:enumeration value="Small"/>
<!-- Large: 6 columns-->
<xs:enumeration value="Large"/>
</xs:restriction>
</xs:simpleType>
<!-- COMPLEX TYPE: APPLICATION LIST TYPE -->
<xs:complexType name="application_list_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="Application" type="application_t" minOccurs="0" maxOccurs="unbounded" >
<xs:key name="productIdOrfolderId">
<xs:selector xpath="."/>
<xs:field xpath="@productId|@folderId"/>
</xs:key>
</xs:element>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: BUTTON LIST TYPE -->
<xs:complexType name="button_list_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="Button" minOccurs="0" maxOccurs="unbounded" type="button_t">
<xs:unique name="ButtonEventUnique">
<xs:selector xpath="ButtonEvent" />
<xs:field xpath="@name" />
</xs:unique>
</xs:element>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: MENU ITEM LIST TYPE -->
<xs:complexType name="menu_item_list_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="DisableMenuItems" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: START SCREEN TILE MANIPULATION TYPE -->
<xs:complexType name="tile_manipulation_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="EnableTileManipulation" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: DEFAULT TYPE -->
<xs:complexType name="default_basic_t">
<xs:sequence minOccurs="1">
<xs:element name="ActionCenter" type="actioncenter_t" minOccurs="1"/>
<xs:element name="WLANSSID" type="wlanssid_t" minOccurs="0"/>
<xs:element name="Apps" type="application_list_t" minOccurs="1">
<xs:unique name="duplicateAppsForbidden">
<xs:selector xpath="Application"/>
<xs:field xpath="@productId"/>
<xs:field xpath="@aumid"/>
</xs:unique>
</xs:element>
<xs:element name="Buttons" minOccurs="1">
<xs:complexType>
<xs:all>
<xs:element name="ButtonLockdownList" type="button_list_t" minOccurs="0">
<xs:unique name="ButtonLockdownUnique">
<xs:selector xpath="Button" />
<xs:field xpath="@name" />
</xs:unique>
</xs:element>
<xs:element name="ButtonRemapList" type="button_list_t" minOccurs="0">
<xs:unique name="ButtonRemapUnique">
<xs:selector xpath="Button" />
<xs:field xpath="@name" />
</xs:unique>
</xs:element>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="CSPRunner" minOccurs="0"/>
<xs:element name="MenuItems" type="menu_item_list_t" minOccurs="1"/>
<xs:element name="Settings" minOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="System" type="setting_t" minOccurs="0" maxOccurs="unbounded" />
<xs:element name="Application" type="setting_t" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Tiles" type="tile_manipulation_t" minOccurs="0" ></xs:element>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: ROLE TYPE -->
<xs:complexType name="role_t">
<xs:complexContent>
<xs:extension base="default_basic_t">
<xs:attribute name="guid" type="guid_t" use="required"/>
<xs:attribute name="name" type="xs:string" use="required"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<!-- COMPLEX TYPE: DEFAULT ROLE TYPE -->
<xs:complexType name="default_role_t">
<xs:complexContent>
<xs:extension base="default_basic_t">
<xs:sequence minOccurs="1">
<xs:element name="StartScreenSize" type="startscreen_size_t" minOccurs="1"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<!-- COMPLEX TYPE: Action Center -->
<xs:complexType name="actioncenter_t">
<xs:attribute type="xs:boolean" name="enabled" use="required"/>
<xs:attribute type="xs:integer" name="actionCenterNotificationEnabled" use="optional"/>
<xs:attribute type="xs:integer" name="aboveLockToastEnabled" use="optional"/>
</xs:complexType>
<!-- COMPLEX TYPE: APPLICATION TYPE -->
<xs:complexType name="application_t">
<xs:all minOccurs="0">
<xs:element name="PinToStart" type="start_tile_t" />
</xs:all>
<xs:attribute name="productId" type="guid_t"/>
<xs:attribute name="aumid" type="xs:string" use="optional"/>
<xs:attribute name="folderName" type="xs:string" use="optional"/>
<xs:attribute name="folderId" type="xs:integer"/>
<xs:attribute name="parameters" type="xs:string" use="optional"/>
<xs:attribute name="autoRun" type="xs:boolean" use="optional"/>
</xs:complexType>
<!-- COMPLEX TYPE: START SCREEN TILE CONFIGURATION TYPE-->
<xs:complexType name="start_tile_t">
<xs:all minOccurs="1" maxOccurs="1">
<xs:element name="Size" type="tile_size_t" minOccurs="1" />
<xs:element name="Location" type="tile_location_t" minOccurs="1" />
<xs:element name="ParentFolderId" type="xs:unsignedLong" minOccurs="0" maxOccurs="1" />
</xs:all>
</xs:complexType>
<!-- COMPLEX TYPE: SETTING TYPE -->
<xs:complexType name="setting_t">
<xs:attribute name="name" type="xs:string" use="required"/>
</xs:complexType>
<!-- COMPLEX TYPE: BUTTON TYPE -->
<xs:complexType name="button_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="ButtonEvent" type="button_event_t" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="name" type="supported_button_t" use="required"/>
</xs:complexType>
<!-- COMPLEX TYPE: BUTTON EVENT TYPE -->
<xs:complexType name="button_event_t">
<xs:all minOccurs="0" maxOccurs="1">
<xs:element name="Application" type="application_t" minOccurs="0" maxOccurs="1" >
<xs:key name="productIdOnly">
<xs:selector xpath="."/>
<xs:field xpath="@productId"/>
</xs:key>
</xs:element>
</xs:all>
<xs:attribute name="name" type="supported_button_event_t" use="required"/>
</xs:complexType>
<!--COMPLEX TYPE: START TILE TYPE-->
<xs:complexType name="tile_location_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="LocationX" type="xs:unsignedLong"/>
<xs:element name="LocationY" type="xs:unsignedLong"/>
</xs:sequence>
</xs:complexType>
<!-- SIMPLE TYPE: SUPPORTED BUTTON TYPE -->
<xs:simpleType name="supported_button_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Back"/>
<xs:enumeration value="Start"/>
<xs:enumeration value="Search"/>
<xs:enumeration value="Camera"/>
<xs:enumeration value="Custom1"/>
<xs:enumeration value="Custom2"/>
<xs:enumeration value="Custom3"/>
</xs:restriction>
</xs:simpleType>
<!-- SIMPLE TYPE: SUPPORTED BUTTON EVENT TYPE -->
<xs:simpleType name="supported_button_event_t">
<xs:restriction base="xs:string">
<xs:enumeration value="All"/>
<xs:enumeration value="Press"/>
<xs:enumeration value="PressAndHold"/>
</xs:restriction>
</xs:simpleType>
<!-- SIMPLE TYPE: GUID -->
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<!--SIMPLE TYPE: TILE SIZE-->
<xs:simpleType name="tile_size_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Small"/>
<xs:enumeration value="Medium"/>
<xs:enumeration value="Large"/>
</xs:restriction>
</xs:simpleType>
<!-- COMPLEX TYPE: WLANSSID -->
<xs:complexType name="wlanssid_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="Data" type="xs:string"/>
<xs:element name="Exclusive" type="xs:boolean"/>
</xs:sequence>
</xs:complexType>
<!-- SCHEMA -->
<xs:element name="HandheldLockdown">
<xs:complexType>
<xs:all minOccurs="1">
<xs:element name="Default" type="default_role_t"/>
<xs:element name="RoleList" type="role_list_t" minOccurs="0">
<xs:unique name="duplicateRolesForbidden">
<xs:selector xpath="Role"/>
<xs:field xpath="@guid"/>
</xs:unique>
</xs:element>
</xs:all>
<xs:attribute name="version" use="required" type="xs:decimal"/>
</xs:complexType>
</xs:element>
</xs:schema>
```
 
 

347
windows/client-management/mdm/enterprisedataprotection-csp.md Normal file
View File

@ -0,0 +1,347 @@
---
title: EnterpriseDataProtection CSP
description: The EnterpriseDataProtection configuration service provider (CSP) is used to configure Windows Information Protection (WIP) (formerly known as Enterprise Data Protection) specific settings.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseDataProtection CSP
The EnterpriseDataProtection configuration service provider (CSP) is used to configure Windows Information Protection (WIP) (formerly known as Enterprise Data Protection) specific settings. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip).
> **Note**  
>- To make WIP functional the AppLocker CSP and the network isolation specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).
>- This CSP was added in Windows 10, version 1607.
 
While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md).
To learn more about WIP, see the following TechNet topics:
- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy)
- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip)
The following diagram shows the EnterpriseDataProtection CSP in tree format.
![enterprisedataprotection csp diagram](images/provisioning-csp-enterprisedataprotection.png)
<a href="" id="--device-vendor-msft-enterprisedataprotection"></a>**./Device/Vendor/MSFT/EnterpriseDataProtection**
<p style="margin-left: 20px">The root node for the CSP.
<a href="" id="settings"></a>**Settings**
<p style="margin-left: 20px">The root node for the Windows Information Protection (WIP) configuration settings.
<a href="" id="settings-edpenforcementlevel"></a>**Settings/EDPEnforcementLevel**
<p style="margin-left: 20px">Set the WIP enforcement level. Note that setting this value is not sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Off / No protection (decrypts previously protected data).
- 1 Silent mode (encrypt and audit only).
- 2 Override mode (encrypt, prompt, and audit).
- 3 Block mode (encrypt, block, and audit).
<p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is integer.
<a href="" id="settings-enterpriseprotecteddomainnames"></a>**Settings/EnterpriseProtectedDomainNames**
<p style="margin-left: 20px">A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
<p style="margin-left: 20px">Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client.
> **Note**  The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
 
<p style="margin-left: 20px">Here are the steps to create canonical domain names:
1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -&gt; microsoft.com.
2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0).
<p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is string.
<a href="" id="settings-allowuserdecryption"></a>**Settings/AllowUserDecryption**
<p style="margin-left: 20px">Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences.
> [!Important]
> Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is integer.
<a href="" id="settings-requireprotectionunderlockconfig"></a>**Settings/RequireProtectionUnderLockConfig**
<p style="margin-left: 20px">Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. A PIN must be configured on the device before you can apply this policy.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Not required.
- 1 Required.
<p style="margin-left: 20px">Most restricted value is 1.
<p style="margin-left: 20px">The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware.
> **Note**  This setting is only supported in Windows 10 Mobile.
 
<p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is integer.
<a href="" id="settings-datarecoverycertificate"></a>**Settings/DataRecoveryCertificate**
<p style="margin-left: 20px">Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through MDM instead of Group Policy.
> **Note**  If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced.
<p style="margin-left: 20px">DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP.
The binary blob is the serialized version of following structure:
``` syntax
//
//  Recovery Policy Data Structures
//
 
typedef struct _RECOVERY_POLICY_HEADER {
    USHORT      MajorRevision;
    USHORT      MinorRevision;
    ULONG       RecoveryKeyCount;
} RECOVERY_POLICY_HEADER, *PRECOVERY_POLICY_HEADER;
 
typedef struct _RECOVERY_POLICY_1_1    {
        RECOVERY_POLICY_HEADER  RecoveryPolicyHeader;
        RECOVERY_KEY_1_1        RecoveryKeyList[1];
}   RECOVERY_POLICY_1_1, *PRECOVERY_POLICY_1_1;
 
#define EFS_RECOVERY_POLICY_MAJOR_REVISION_1   (1)
#define EFS_RECOVERY_POLICY_MINOR_REVISION_0   (0)
 
#define EFS_RECOVERY_POLICY_MINOR_REVISION_1   (1)
 
///////////////////////////////////////////////////////////////////////////////
//                                                                            /
//  RECOVERY_KEY Data Structure                                               /
//                                                                            /
///////////////////////////////////////////////////////////////////////////////
 
//
// Current format of recovery data.
//
 
typedef struct _RECOVERY_KEY_1_1   {
        ULONG               TotalLength;
        EFS_PUBLIC_KEY_INFO PublicKeyInfo;
} RECOVERY_KEY_1_1, *PRECOVERY_KEY_1_1;
 
 
typedef struct _EFS_PUBLIC_KEY_INFO {
 
    //
    // The length of this entire structure, including string data
    // appended to the end. The length should be a multiple of 8 for
    // 64 bit alignment
    //
 
    ULONG Length;
 
    //
    // Sid of owner of the public key (regardless of format).
   // This field is to be treated as a hint only.
    //
 
    ULONG PossibleKeyOwner;
 
    //
    // Contains information describing how to interpret
    // the public key information
    //
 
    ULONG KeySourceTag;
 
    union {
 
        struct {
 
            //
            // The following fields contain offsets based at the
            // beginning of the structure.  Each offset is to
            // a NULL terminated WCHAR string.
            //
 
            ULONG ContainerName;
            ULONG ProviderName;
 
            //
            // The exported public key used to encrypt the FEK.
            // This field contains an offset from the beginning of the
            // structure.
            //
 
            ULONG PublicKeyBlob;
 
            //
            // Length of the PublicKeyBlob in bytes
            //
 
            ULONG PublicKeyBlobLength;
 
        } ContainerInfo;
 
        struct {
 
            ULONG CertificateLength;       // in bytes
            ULONG Certificate;             // offset from start of structure
 
        } CertificateInfo;
 
 
        struct {
 
            ULONG ThumbprintLength;        // in bytes
            ULONG CertHashData;            // offset from start of structure
 
        } CertificateThumbprint;
    };
 
 
 
} EFS_PUBLIC_KEY_INFO, *PEFS_PUBLIC_KEY_INFO;
 
//
// Possible KeyTag values
//
 
typedef enum _PUBLIC_KEY_SOURCE_TAG {
    EfsCryptoAPIContainer = 1,
    EfsCertificate,
    EfsCertificateThumbprint
} PUBLIC_KEY_SOURCE_TAG, *PPUBLIC_KEY_SOURCE_TAG;
 
```
<p style="margin-left: 20px">For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate.
<p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is base-64 encoded certificate.
<a href="" id="settings-revokeonunenroll"></a>**Settings/RevokeOnUnenroll**
<p style="margin-left: 20px">This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Don't revoke keys.
- 1 (default) Revoke keys.
<p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is integer.
<a href="" id="settings-revokeonmdmhandoff"></a>**Settings/RevokeOnMDMHandoff**
<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from MAM to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
- 0 - Don't revoke keys
- 1 (dafault) - Revoke keys
<p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is integer.
<a href="" id="settings-rmstemplateidforedp"></a>**Settings/RMSTemplateIDForEDP**
<p style="margin-left: 20px">TemplateID GUID to use for RMS encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access.
<p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is string (GUID).
<a href="" id="settings-allowazurermsforedp"></a>**Settings/AllowAzureRMSForEDP**
<p style="margin-left: 20px">Specifies whether to allow Azure RMS encryption for WIP.
- 0 (default) Don't use RMS.
- 1 Use RMS.
<p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is integer.
<a href="" id="settings-smbautoencryptedfileextensions"></a>**Settings/SMBAutoEncryptedFileExtensions**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an SMB share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-configuration-service-provider.md#networkisolation-enterpriseiprange) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames). Use semicolon (;) delimiter in the list.
<p style="margin-left: 20px">When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted.
<p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is string.
<a href="" id="settings-edpshowicons"></a>**Settings/EDPShowIcons**
<p style="margin-left: 20px">Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles in the Start menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) - No WIP overlays on icons or tiles.
- 1 - Show WIP overlays on protected files and apps that can only create enterprise content.
<p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is integer.
<a href="" id="status"></a>**Status**
<p style="margin-left: 20px">A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
<p style="margin-left: 20px">Suggested values:
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<tbody>
<tr class="odd">
<td><p>Reserved for future use</p></td>
<td><p>WIP mandatory settings</p>
<p>Set = 1</p>
<p>Not set = 0</p></td>
<td><p>Reserved for future use</p></td>
<td><p>AppLocker configured</p>
<p>Yes = 1</p>
<p>No = 0</p></td>
<td><p>WIP on = 1</p>
<p>WIP off = 0</p></td>
</tr>
<tr class="even">
<td><p>4</p></td>
<td><p>3</p></td>
<td><p>2</p></td>
<td><p>1</p></td>
<td><p>0</p></td>
</tr>
</tbody>
</table>
 
<p style="margin-left: 20px">Bit 0 indicates whether WIP is on or off.
<p style="margin-left: 20px">Bit 1 indicates whether AppLocker WIP policies are set.
<p style="margin-left: 20px">Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies are not configured, the bit 3 is set to 0 (zero).
<p style="margin-left: 20px">Here's the list of mandatory WIP policies:
- EDPEnforcementLevel in EnterpriseDataProtection CSP
- DataRecoveryCertificate in EnterpriseDataProtection CSP
- EnterpriseProtectedDomainNames in EnterpriseDataProtection CSP
- NetworkIsolation/EnterpriseIPRange in Policy CSP
- NetworkIsolation/EnterpriseNetworkDomainNames in Policy CSP
<p style="margin-left: 20px">Bits 2 and 4 are reserved for future use.
<p style="margin-left: 20px">Supported operation is Get. Value type is integer.
 
 

364
windows/client-management/mdm/enterprisedataprotection-ddf-file.md Normal file
View File

@ -0,0 +1,364 @@
---
title: EnterpriseDataProtection DDF file
description: The following topic shows the OMA DM device description framework (DDF) for the EnterpriseDataProtection configuration service provider.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: C6427C52-76F9-4EE0-98F9-DE278529D459
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseDataProtection DDF file
The following topic shows the OMA DM device description framework (DDF) for the EnterpriseDataProtection configuration service provider.
> [!Important]
> Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>EnterpriseDataProtection</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/EnterpriseDataProtection</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>Settings</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>EDPEnforcementLevel</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>Maps to MDM "EDPEnforcementLevel" policy.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnterpriseProtectedDomainNames</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>Maps to EnerpriseProtectedDomainNames MDM policy.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AllowUserDecryption</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>Deprecated. Recommendation is to always set to 1. When fetching this policy value, client will always return 1 regardless of what was originally set by server.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RequireProtectionUnderLockConfig</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DataRecoveryCertificate</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RevokeOnUnenroll</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RevokeOnMDMHandoff</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RMSTemplateIDForEDP</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AllowAzureRMSForEDP</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SMBAutoEncryptedFileExtensions</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EDPShowIcons</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>Current state of Enterprise Data Protection configuration on the device.</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```
 
 

549
windows/client-management/mdm/enterprisedesktopappmanagement-csp.md Normal file
View File

@ -0,0 +1,549 @@
---
title: EnterpriseDesktopAppManagement CSP
description: The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseDesktopAppManagement CSP
The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications.
Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example).
The following diagram shows the EnterpriseDesktopAppManagement CSP in tree format.
![enterprisedesktopappmanagement csp](images/provisioning-csp-enterprisedesktopappmanagement.png)
<a href="" id="--vendor-msft-enterprisedesktopappmanagement"></a>**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement**
The root node for the EnterpriseDesktopAppManagement configuration service provider.
<a href="" id="msi"></a>**MSI**
Node for all settings.
<a href="" id="msi-productid"></a>**MSI/****_ProductID_**
The MSI product code for the application.
<a href="" id="msi-productid-version"></a>**MSI/*ProductID*/Version**
Version number. Value type is string. Supported operation is Get.
<a href="" id="msi-productid-name"></a>**MSI/*ProductID*/Name**
Name of the application. Value type is string. Supported operation is Get.
<a href="" id="msi-productid-publisher"></a>**MSI/*ProductID*/Publisher**
Publisher of application. Value type is string. Supported operation is Get.
<a href="" id="msi-productid-installpath"></a>**MSI/*ProductID*/InstallPath**
Installation path of the application. Value type is string. Supported operation is Get.
<a href="" id="msi-productid-installdate"></a>**MSI/*ProductID*/InstallDate**
Installation date of the application. Value type is string. Supported operation is Get.
<a href="" id="msi-productid-downloadinstall"></a>**MSI/*ProductID*/DownloadInstall**
Executes the download and installation of the application. Value type is string. Supported operations are Execute and Get.
<a href="" id="msi-productid-status"></a>**MSI/*ProductID*/Status**
Status of the application. Value type is string. Supported operation is Get.
| Status | Value |
|---------------------------|-------|
| Initialized | 10 |
| Download In Progress | 20 |
| Pending Download Retry | 25 |
| Download Failed | 30 |
| Download Completed | 40 |
| Pending User Session | 48 |
| Enforcement In Progress | 50 |
| Pending Enforcement Retry | 55 |
| Enforcement Failed | 60 |
| Enforcement Completed | 70 |
 
<a href="" id="msi-productid-lasterror"></a>**MSI/*ProductID*/LastError**
The last error code during the application installation process. This is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this could be the result of executing MSIExec.exe or the error result from an API that failed.
Value type is string. Supported operation is Get.
<a href="" id="msi-productid-lasterrordesc"></a>**MSI/*ProductID*/LastErrorDesc**
Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there is no LastErrorDesc returned.
Value type is string. Supported operation is Get.
<a href="" id="msi-upgradecode"></a>**MSI/UpgradeCode**
Added in the March service release of Windows 10, version 1607.
<a href="" id="msi-upgradecode"></a>**MSI/UpgradeCode/_Guid_**
Added in the March service release of Windows 10, version 1607. A gateway (or device management server) uses this method to detect matching upgrade MSI product when a Admin wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed.
Value type is string. Supported operation is Get.
## Examples
**SyncML to request CSP version information**
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Get>
<CmdID>12345</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseDesktopAppManagement?prop=Type</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
The following table describes the fields in the previous sample:
| Name | Description |
|--------|-------------------------------------------------------------------------------------------------------------------------------|
| Get | Operation being performed. The Get operation is a request to return information. |
| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. |
| LocURI | Path to Win32 CSP command processor. |
 
**SyncML to perform MSI operations for application uninstall**
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Delete>
<CmdID>12345</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
```
The following table describes the fields in the previous sample:
| Name | Description |
|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Delete | Operation being performed. The Delete operation is a request to delete the CSP node that represents the specified MSI installed application and to perform and uninstall of the application as part of the process. |
| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. |
| LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. |
 
**SyncML to perform MSI operations for application status reporting**
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Get>
<CmdID>12345</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
The following table describes the fields in the previous sample:
| Name | Description |
|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application. |
| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. |
| LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. |
 
**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to preceed the Exec command.**
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C384D2B-9B9A-0CB37243539C%7D/DownloadInstall</LocURI>
</Target>
</Item>
</Add>
<Exec>
<CmdID>6</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D/DownloadInstall</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<MsiInstallJob id="{9BD4F7CD-880A-40B5-B74C-1BEECB51E596}">
<Product Version="1.0.0">
<Download>
<ContentURLList>
<ContentURL>
http://bcl-w2k12r2-vm/testapps/msi/reboot/reboot.msi
</ContentURL>
<ContentURL>https://dp2.com/packages/myApp.msi</ContentURL>
</ContentURLList>
</Download>
<Validation>
<FileHash>134D8F1F7C3C036DC3DCDA9F97515C8C7951DB154B73365C9C22962BD23E3EB3</FileHash>
</Validation>
<Enforcement>
<CommandLine>/quiet</CommandLine>
<TimeOut>5</TimeOut>
<RetryCount>3</RetryCount>
<RetryInterval>5</RetryInterval>
</Enforcement>
</Product>
</MsiInstallJob>
</Data>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
```
The following table describes the fields in the previous sample:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>Add</td>
<td>This is required to precede the Exec command.
<ul>
<li>CmdID - Input value used to reference the request. Reponses includes this value, which can be use to match the request and response.</li>
<li>LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.</li>
</ul></td>
</tr>
<tr class="even">
<td>Exec</td>
<td>The Exec node includes the parameters and properties requires to locate, download, validate and perform product installation.
<ul>
<li>CmdID - Input value used to reference the request. Responses will include this value which can be used to match request and response.</li>
<li>LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.</li>
<li>Data - The Data node contains an embedded XML, of type “MsiInstallJob”</li>
<li>MsiInstallJob - Contains all information required for the successful download, validation and execution of the MSI installation process (see section at the end of this document for details on this embedded data object).</li>
</ul></td>
</tr>
</tbody>
</table>
 
> **Note**  Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at <https://technet.microsoft.com/library/cc759262(v=ws.10).aspx>.
 
**SyncML to perform MSI install operations for an application targeted to all users on the device (per-device installation)**
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device /Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B6F7CB29F-1319-4816-B345-0856916EB801%7D/DownloadInstall
</LocURI>
</Target>
</Item>
</Add>
<Exec>
<CmdID>67890</CmdID>
<Item>
<Target>
<LocURI>./Device /Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B6F7CB29F-1319-4816-B345-0856916EB801%7D/DownloadInstall</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<MsiInstallJob id="{9BD4F7CD-880A-40B5-B74C-1BEECB51E596}">
<Product Version="1.0.0">
<Download>
<ContentURLList>
<ContentURL>http://bcl-w2k12r2-vm/testapps/msi/Orca/Orca.msi</ContentURL>
<ContentURL>https://dp2.com/packages/myApp.msi</ContentURL>
</ContentURLList>
</Download>
<Validation>
<FileHash>4525065777EF18B9444ABF71DD4B48E5F64F4F0E1E029995FB8DA441CDE4296E</FileHash>
</Validation>
<Enforcement>
<CommandLine>/quiet</CommandLine>
<TimeOut>5</TimeOut>
<RetryCount>3</RetryCount>
<RetryInterval>5</RetryInterval>
</Enforcement>
</Product>
</MsiInstallJob>
</Data>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
```
The following table MsiInstallJob describes the schema elements.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>MsiInstallJob</td>
<td>root element
<p>&quot;Attribute: &quot;id - the application identifier of the application being installed</p></td>
</tr>
<tr class="even">
<td>Product</td>
<td>child element of MsiInstallJob
<p>Attribute: “Version” string representation of application version</p></td>
</tr>
<tr class="odd">
<td>Download</td>
<td>child element of Product. Container for download configuration information.</td>
</tr>
<tr class="even">
<td>ContentURLList</td>
<td>child element of Download. Contains list of 1 or more content download URL locators in the form of ContentURL elements.</td>
</tr>
<tr class="odd">
<td>ContentURL</td>
<td>Location content should be downloaded from. Must be a property formatted URL that points to the .MSI file.</td>
</tr>
<tr class="even">
<td>Validation</td>
<td>Contains information used to validate contend authenticity. • FileHash SHA256 hash value of file content</td>
</tr>
<tr class="odd">
<td>FileHash</td>
<td>SHA256 hash value of file content</td>
</tr>
<tr class="even">
<td>Enforcement</td>
<td>installation properties to be used when installing this MSI</td>
</tr>
<tr class="odd">
<td>CommandLine</td>
<td>Command-line options to be used when calling MSIEXEC.exe</td>
</tr>
<tr class="even">
<td>Timeout</td>
<td>Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation.</td>
</tr>
<tr class="odd">
<td>RetryCount</td>
<td>The number of times the download and installation operation will be retried before the installation will be marked as failed.</td>
</tr>
<tr class="even">
<td>RetryInterval</td>
<td>Amount of time, in minutes between retry operations.</td>
</tr>
</tbody>
</table>
 
Here is an example of a common response to a request
``` syntax
<?xml version="1.0" encoding="utf-16"?>
<SyncML>
<SyncHdr />
<SyncBody>
<Status>
<CmdID>12345</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>0</CmdRef>
<Cmd>SyncHdr</Cmd>
<Data>200</Data>
</Status>
<Status>
<CmdID>67890</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>1</CmdRef>
<Cmd>Add</Cmd>
<Data>200</Data>
</Status>
<Final />
</SyncBody>
</SyncML>
```
## How to determine which installation context to use for an MSI package
The following tables shows how app targeting and MSI package type (per-user, per machine, or dual mode) are installed in the client.
For Intune standalone environment, the MSI package will determine the MSI execution context.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Target</th>
<th>Per-user MSI</th>
<th>Per-machine MSI</th>
<th>Dual mode MSI</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>User</td>
<td>Install the MSI per-user
<p>LocURI contains a User prefix, such as ./User</p></td>
<td>Install the MSI per-device
<p>LocURI contains a Device prefix, such as ./Device</p></td>
<td>Install the MSI per-user
<p>LocURI contains a User prefix, such as ./User</p></td>
</tr>
<tr class="even">
<td>System</td>
<td>Install the MSI per-user
<p>LocURI contains a User prefix, such as ./User</p></td>
<td>Install the MSI per-device
<p>LocURI contains a Device prefix, such as ./Device</p></td>
<td>Install the MSI per-user
<p>LocURI contains a User prefix, such as ./User</p></td>
</tr>
</tbody>
</table>
 
The following table applies to SCCM hybrid environment.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Target</th>
<th>Per-user MSI</th>
<th>Per-machine MSI</th>
<th>Dual mode MSI</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>User</td>
<td>Install the MSI per-user
<p>LocURI contains a User prefix, such as ./User</p></td>
<td>Install the MSI per-device
<p>LocURI contains a Device prefix, such as ./Device</p></td>
<td>Install the MSI per-user
<p>LocURI contains a User prefix, such as ./User</p></td>
</tr>
<tr class="even">
<td>System</td>
<td>Install the MSI per-user
<p>LocURI contains a User prefix, such as ./User</p></td>
<td>Install the MSI per-device
<p>LocURI contains a Device prefix, such as ./Device</p></td>
<td>Install the MSI per- system context
<p>LocURI contains a Device prefix, such as ./Device</p></td>
</tr>
</tbody>
</table>
 
## How to determine the package type from the MSI package
- ALLUSERS="" - per-user package type
- ALLUSERS=1 - per-machine package type
- ALLUSERS=2, MSIINSTALLPERUSER=1 - dual mode package type
Properties can be specified in the package, passed through the command line, modified by a transform, or (more commonly) selected through a user interface dialog.
Here's a list of references:
- [Using Windows Installer](https://technet.microsoft.com/library/cc782896.aspx)
- [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](http://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx)
- SyncML Representation Protocol, Draft Version 1.3 - 27 Aug 2009 (OMA-TS-SyncML\_RepPro-V1\_3-20090827-D)
## Alert example
``` syntax
<Alert>
<CmdID>4</CmdID>
<Data>1224</Data>
<Item>
<Source>
<LocURI>./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{AF9257BA-6BBD-4624-AA9B-0182D50292C3}/DownloadInstall</LocURI>
</Source>
<Meta>
<Type xmlns="syncml:metinf">Reversed-Domain-Name:com.microsoft.mdm.win32csp_install</Type>
<Format xmlns="syncml:metinf">int</Format>
<Mark xmlns="syncml:metinf">informational</Mark>
</Meta>
<Data>0</Data>
</Item>
</Alert>
```
 
 

372
windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md Normal file
View File

@ -0,0 +1,372 @@
---
title: EnterpriseDesktopAppManagement DDF
description: This topic shows the OMA DM device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: EF448602-65AC-4D59-A0E8-779876542FE3
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseDesktopAppManagement DDF
This topic shows the OMA DM device description framework (DDF) for the **EnterpriseDesktopAppManagement** configuration service provider.
DDF files are used only with OMA DM provisioning XML.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>EnterpriseDesktopAppManagement</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/EnterpriseDesktopAppManagement</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>MSI</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Product Type is MSI</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<Description>MSI product code for Threshold</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ProductID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Version</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>MSI Product Version</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Name</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Publisher</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>InstallPath</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>InstallDate</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DownloadInstall</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Exec />
<Get />
</AccessType>
<Description>Method to download and install an MSI app</Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LastError</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LastErrorDesc</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>UpgradeCode</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CS />
</CaseSense>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<OneOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Guid</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
 
 

107
windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md Normal file
View File

@ -0,0 +1,107 @@
---
title: EnterpriseDesktopAppManagement XSD
description: This topic contains the XSD schema file for the EnterpriseDesktopAppManagement configuration service providers DownloadInstall parameter.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 60980257-4F48-4A68-8E8E-1EF0A3F090E2
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseDesktopAppManagement XSD
This topic contains the XSD schema file for the EnterpriseDesktopAppManagement configuration service providers DownloadInstall parameter.
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="Data">
<xs:complexType>
<xs:sequence>
<xs:element name="MsiInstallJob">
<xs:complexType>
<xs:sequence>
<xs:element name="Product">
<xs:complexType>
<xs:sequence>
<xs:element name="Download">
<xs:complexType>
<xs:sequence>
<xs:element name="ContentURLList">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="ContentURL" type="xs:string" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Validation">
<xs:complexType>
<xs:sequence>
<xs:element name="FileHash" type="xs:string" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Enforcement">
<xs:complexType>
<xs:sequence>
<xs:element name="CommandLine" type="xs:string" />
<xs:element name="TimeOut" type="xs:unsignedByte" />
<xs:element name="RetryCount" type="xs:unsignedByte" />
<xs:element name="RetryInterval" type="xs:unsignedByte" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required" />
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="id" type="xs:string" use="required" />
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
```
The following table describes the various elements and attributes of the XSD file:
 
| Name | Description |
|----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| MsiInstallJob | Root element |
| id | The application identifier for the application being installed. |
| Product | Child element of MsiInstallJob |
| Version | String representation of the application version |
| Download | Child element of Product. Container for download configuration information. |
| ContentURLList | Child element of Download. Contains list of one or more content download URL locators in the form of ContentURL elements. |
| ContentURL | Location that content should be downloaded from. Must be a property formatted URL that points to the MSI file. |
| Validation | Contains information used to validate content authenticity. |
| FileHash | SHA256 hash value of file content. |
| Enforcement | Installation properties to be used when installing this MSI |
| CommandLine | Command-line options to be used when calling MSIEXEC.exe |
| Timeout | Amount of time in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation. |
| RetryCount | Number of times the download and installation operation will be retried before the installation will be marked as failed. |
| RetryInterval | Amount of time in minutes between retry operations. |
 
 
 

373
windows/client-management/mdm/enterpriseext-csp.md Normal file
View File

@ -0,0 +1,373 @@
---
title: EnterpriseExt CSP
description: EnterpriseExt CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: ACA5CD79-BBD5-4DD1-86DA-0285B93982BD
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseExt CSP
The EnterpriseExt configuration service provider allows OEMs to set their own unique ID for their devices, set display brightness values, and set the LED behavior.
> **Note**   The EnterpriseExt CSP is only supported in Windows 10 Mobile.
 
The following diagram shows the EnterpriseExt configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
![enterpriseext csp](images/provisioning-csp-enterpriseext.png)
The following list shows the characteristics and parameters.
<a href="" id="--vendor-msft-enterpriseext"></a>**./Vendor/MSFT/EnterpriseExt**
The root node for the EnterpriseExt configuration service provider. Supported operations is Get.
<a href="" id="devicecustomdata"></a>**DeviceCustomData**
Node for setting the custom device ID and string.
<a href="" id="devicecustomdata-customid"></a>**DeviceCustomData/CustomID**
Any string value as the device ID. This value appears in **Settings** &gt; **About** &gt; **Info**.
Here's an example for getting custom data.
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/DeviceCustomData/CustomID</LocURI>
</Target>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/DeviceCustomData/CustomString</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="devicecustomdata-customstring"></a>**DeviceCustomData/CustomString**
Any string value that is associated with the device.
Here's an example for setting custom data.
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/DeviceCustomData/CustomID</LocURI>
</Target>
<Data>urn:uuid:130CCE0D-0187-5866-855A-DE7406F76046</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/DeviceCustomData/CustomString</LocURI>
</Target>
<Data>{"firstName":"John","lastName":"Doe"}</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="brightness"></a>**Brightness**
Node for setting device brightness values.
<a href="" id="brightness-default"></a>**Brightness/Default**
Default display brightness value. For example, you can maximize battery life by reducing the default value or set it to medium in a facility that is generally darker.
The valid values are:
- Automatic - the device determines the brightness
- Low
- Medium
- High
The supported operations are Get and Replace.
Here's an example for getting the current default value.
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/Brightness/Default</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
Here's an example for setting the default value to medium.
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/Brightness/Default</LocURI>
</Target>
<Data>medium</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="brightness-maxauto"></a>**Brightness/MaxAuto**
Maximum display brightness value when the device is set to automatic mode. The device brightness will never be higher than the MaxAuto value. The value values are:
- Low
- Medium
- High
The supported operations are Get and Replace.
Here's an example for setting the maximum auto-brightness to medium.
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/Brightness/MaxAuto</LocURI>
</Target>
<Data>medium</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="ledalertnotification"></a>**LedAlertNotification**
Node for setting LED behavior of the device.
<a href="" id="ledalertnotification-state"></a>**LedAlertNotification/State**
LED state. The valid values are:
- 0 - off
- 1 - on
- 2 - blink
Example: LED On
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Intensity</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>100</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/State</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
Example: LED Off
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/State</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="ledalertnotification-intensity"></a>**LedAlertNotification/Intensity**
Intensity of the LED brightness. You can set the value between 1 - 100.
Example: LED blink
``` syntax
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Period</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>500</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Dutycycle</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>70</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Intensity</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>100</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Cyclecount</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>543210</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/State</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>2</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="ledalertnotification-period"></a>**LedAlertNotification/Period**
Duration of each blink, which is the time of ON + OFF. The value is in milliseconds. This is valid only for blink.
<a href="" id="ledalertnotification-dutycycle"></a>**LedAlertNotification/DutyCycle**
LED ON duration during one blink cycle. You can set the value between 1 - 100. This is valid only for blink.
<a href="" id="ledalertnotification-cyclecount"></a>**LedAlertNotification/Cyclecount**
Number of blink cycles. The data type is a 4-byte signed integer. Any negative value or zero results in an error. This node is only valid for blink.
<a href="" id="devicereboot"></a>**DeviceReboot**
Removed in Windows 10.
<a href="" id="devicereboot-waittime"></a>**DeviceReboot/WaitTime**
Removed in Windows 10.
<a href="" id="maintenancewindow"></a>**MaintenanceWindow**
Removed in Windows 10.
<a href="" id="maintenancewindow-maintenanceallowed"></a>**MaintenanceWindow/MaintenanceAllowed**
Removed in Windows 10.
<a href="" id="maintenancewindow-mwmandatory"></a>**MaintenanceWindow/MWMandatory**
Removed in Windows 10.
<a href="" id="maintenancewindow-schedulexml"></a>**MaintenanceWindow/ScheduleXML**
Removed in Windows 10.
<a href="" id="maintenancewindow-mwnotificationduration"></a>**MaintenanceWindow/MWNotificationDuration**
Removed in Windows 10.
<a href="" id="maintenancewindow-mwminimumduration"></a>**MaintenanceWindow/MWminimumDuration**
Removed in Windows 10.
<a href="" id="deviceupdate"></a>**DeviceUpdate**
Removed in Windows 10.
<a href="" id="deviceupdate-datetimestamp"></a>**DeviceUpdate/DateTimeStamp**
Removed in Windows 10.
<a href="" id="deviceupdate-updateresultxml"></a>**DeviceUpdate/UpdateResultXml**
Removed in Windows 10.
<a href="" id="mdm"></a>**MDM**
Removed in Windows 10.
<a href="" id="mdm-server"></a>**MDM/Server**
Removed in Windows 10.
<a href="" id="mdm-username"></a>**MDM/Username**
Removed in Windows 10.
<a href="" id="mdm-password"></a>**MDM/Password**
Removed in Windows 10.
<a href="" id="mdm-enabledeviceenrollment"></a>**MDM/EnableDeviceEnrollment**
Removed in Windows 10.
<a href="" id="pfx"></a>**Pfx**
Removed in Windows 10.
<a href="" id="disableenterprisevalidation"></a>**DisableEnterpriseValidation**
Removed in Windows 10.
 
 
10/10/2016

320
windows/client-management/mdm/enterpriseext-ddf.md Normal file
View File

@ -0,0 +1,320 @@
---
title: EnterpriseExt DDF
description: EnterpriseExt DDF
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 71BF81D4-FBEC-4B03-BF99-F7A5EDD4F91B
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseExt DDF
This topic shows the OMA DM device description framework (DDF) for the **EnterpriseExt** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>EnterpriseExt</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>DeviceCustomData</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>CustomID</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CustomString</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Brightness</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Default</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxAuto</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>LedAlertNotification</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>State</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Intensity</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Period</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DutyCycle</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Cyclecount</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
 
 

130
windows/client-management/mdm/enterpriseextfilessystem-csp.md Normal file
View File

@ -0,0 +1,130 @@
---
title: EnterpriseExtFileSystem CSP
description: EnterpriseExtFileSystem CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: F773AD72-A800-481A-A9E2-899BA56F4426
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseExtFileSystem CSP
The EnterpriseExtFileSystem configuration service provider (CSP) allows IT administrators to add, retrieve, or change files in the file system through the Mobile Device Management (MDM) service. For example, you can use this configuration service provider to push a provisioning XML file or a new lock screen background image file to a device through the MDM service, and also retrieve logs from the device in the enterprise environment.
> **Note**  The EnterpriseExtFileSystem CSP is only supported in Windows 10 Mobile.
 
File contents are embedded directly into the syncML message, so there is a limit to the size of the file that can be retrieved from the device. The default limit is 0x100000 (1 MB). You can configure this limit by using the following registry key: **Software\\Microsoft\\Provisioning\\CSPs\\.\\Vendor\\MSFT\\EnterpriseExtFileSystem\\MaxFileReadSize**.
The following diagram shows the EnterpriseExtFileSystem configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
![enterpriseextfilesystem csp](images/provisioning-csp-enterpriseextfilesystem.png)
The following list describes the characteristics and parameters.
<a href="" id="--vendor-msft-enterpriseextfilesystem"></a>**./Vendor/MSFT/EnterpriseExtFileSystem**
<p style="margin-left: 25px">The root node for the EnterpriseExtFileSystem configuration service provider. Supported operations are Add and Get.</p>
<a href="" id="persistent"></a>**Persistent**
<p style="margin-left: 25px">The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Persistent folder, it accesses that data from the EnterpriseExtFileSystem\\Persistent node. Files written to the Persistent folder persists over ordinary power cycles.</p>
> **Important**  There is a limit to the amount of data that can be persisted, which varies depending on how much disk space is available on one of the partitions. This data cap amount (that can be persisted) varies by manufacturer.
 
> **Note**   When the IT admin triggers a **doWipePersistProvisionedData** action using [RemoteWipe CSP](remotewipe-csp.md), items stored in the Persistent folder are persisted over wipe and restored when the device boots again. The contents are not persisted if a **doWipe** action is triggered.
 
<a href="" id="nonpersistent"></a>**NonPersistent**
<p style="margin-left: 25px">The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Non-Persistent folder, it accesses that data from the EnterpriseExtFileSystem\\NonPersistent node. Files written to the NonPersistent folder will persist over ordinary power cycles.</p>
<p style="margin-left: 25px">When the device is wiped, any data stored in the NonPersistent folder is deleted.</p>
<a href="" id="oemprofile"></a>**OemProfile**
<p style="margin-left: 25px">Added in Windows 10, version 1511. The EnterpriseExtFileSystem CSP allows an enterprise to deploy an OEM profile on the device, such as a barcode scanner profile then can be consumed by the OEM barcode scanner driver. The file is placed into the \\data\\shareddata\\oem\\public\\profile\\ folder of the device.</p>
<a href="" id="directory"></a>***Directory***
<p style="margin-left: 25px">The name of a directory in the device file system. Any *Directory* node can have directories and files as child nodes.</p>
<p style="margin-left: 25px">Use the Add command to create a new directory. You cannot use it to add a new directory under a file system root.</p>
<p style="margin-left: 25px">Use the Get command to return the list of child node names under *Directory*.</p>
<p style="margin-left: 25px">Use the Get command with ?List=Struct to recursively return all child node names, including subdirectory names, under *Directory*.</p>
<a href="" id="filename"></a>***Filename***
<p style="margin-left: 25px">The name of a file in the device file system.</p>
Supported operations is Get.
## OMA DM examples
The following example shows how to retrieve a file from the device.
``` syntax
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExtFileSystem/Persistent/file.txt</LocURI>
</Target>
</Item>
</Get>
```
The following example shows the file name that is returned in the body of the response syncML code. In this example, the full path of the file on the device is C:/data/test/bin/filename.txt.
``` syntax
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Item>
<Source>
<LocURI>./Vendor/MSFT/EnterpriseExtFileSystem/Persistent/filename.txt</LocURI>
</Source>
<Meta>
<Format xmlns="syncml:metinf">b64</Format>
<Type xmlns="syncml:metinf">application/octet-stream</Type>
</Meta>
<Data>aGVsbG8gd29ybGQ=</Data>
</Item>
</Results>
```
The following example shows how to push a file to the device.
``` syntax
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExtFileSystem/Persistent/new.txt</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">b64</Format>
<Type xmlns="syncml:metinf">application/octet-stream</Type>
</Meta>
<Data>aGVsbG8gd29ybGQ=</Data>
</Item>
</Add>
```
 
 

273
windows/client-management/mdm/enterpriseextfilesystem-ddf.md Normal file
View File

@ -0,0 +1,273 @@
---
title: EnterpriseExtFileSystem DDF
description: EnterpriseExtFileSystem DDF
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 2D292E4B-15EE-4AEB-8884-6FEE8B92D2D1
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseExtFileSystem DDF
This topic shows the OMA DM device description framework (DDF) for the **EnterpriseExtFileSystem** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>EnterpriseExtFileSystem</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Persistent</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Files_abc1</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Files</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Directory_abc2</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Directory</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>NonPersistent</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Files_abc3</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Files</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Directory_abc4</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Directory</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>OemProfile</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Directory_abc5</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Directory</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Files_abc6</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Files</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[EnterpriseExtFileSystem configuration service provider](enterpriseextfilessystem-csp.md)
 
 

529
windows/client-management/mdm/enterprisemodernappmanagement-csp.md Normal file
View File

@ -0,0 +1,529 @@
---
title: EnterpriseModernAppManagement CSP
description: EnterpriseModernAppManagement CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 9DD0741A-A229-41A0-A85A-93E185207C42
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseModernAppManagement CSP
The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md).
> [!Note]
> Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP.
The following image shows the EnterpriseModernAppManagement configuration service provider in tree format.
![enterprisemodernappmanagement csp diagram](images/provisioning-csp-enterprisemodernappmanagement.png)
<a href="" id="device-or-user-context"></a>**Device or User context**
<p style="margin-left: 20px">For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path.
> [!Note]
> Windows Holographic and Windows 10 Mobile only support per-user configuration of the EnterpriseModernAppManagement CSP.
<a href="" id="appmanagement"></a>**AppManagement**
<p style="margin-left: 20px">Required. Used for inventory and app management (post-install).
<a href="" id="appmanagement-updatescan"></a>**AppManagement/UpdateScan**
<p style="margin-left: 20px">Required. Used to start the Windows Update scan.
<p style="margin-left: 20px">Supported operation is Execute.
<a href="" id="appmanagement-lastscanerror"></a>**AppManagement/LastScanError**
<p style="margin-left: 20px">Required. Reports the last error code returned by the update scan.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="appmanagement-appinventoryresults"></a>**AppManagement/AppInventoryResults**
<p style="margin-left: 20px">Added in Windows 10, version 1511. Required. Returns the results for app inventory that was created after the AppInventoryQuery operation.
<p style="margin-left: 20px">Supported operation is Get.
<p style="margin-left: 20px">Here's an example of AppInventoryResults operation.
``` syntax
<Get>
<CmdID>11</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryResults</LocURI>
</Target>
</Item>
</Get>
```
<a href="" id="appmanagement-appinventoryquery"></a>**AppManagement/AppInventoryQuery**
<p style="margin-left: 20px">Added in Windows 10, version 1511. Required. Specifies the query for app inventory.
<p style="margin-left: 20px">Query parameters:
- Output - Specifies the parameters for the information returned in AppInventoryResults operation. Mutiple value must be separate by |. Valid values are:
- PackagesName - returns the *PackageFamilyName* and *PackageFullName* of the app. Default if nothing is specified.
- PackageDetails - returns all inventory attributes of the package. This includes all information from PackageNames parameter, but does not validate RequiresReinstall.
- RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state.
- Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are:
- AppStore - This classification is for apps that were acquired from Windows Store. These were apps directly installed from Windows Store or enterprise apps from Windows Store for Business.
- nonStore - This classification is for apps that were not acquired from the Windows Store.
- System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried.
- PackageTypeFilter - Specifies one or multiple types of packages you can use to query the user or device. Multiple values must be separated by |. Valid values are:
- Main - returns the main installed package.
- Bundle - returns installed bundle packages.
- Framework - returns installed framework packages.
- Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They are parts of a bundle.
- XAP - returns XAP package types.
- All - returns all package types.
If no value is specified, the combination of Main, Bundle, Framework, and XAP are returned.
- PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value.
If you do not specify this value, then all packages are returned.
- Publisher - specifies the publisher of a particular package. If you specify this parameter, it returns the publisher if the value exists in the Publisher field.
If you do not specify this value, then all publishers are returned.
<p style="margin-left: 20px">Supported operation is Get and Replace.
<p style="margin-left: 20px">The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps.
``` syntax
<Replace>
<CmdID>10</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryQuery</LocURI>
</Target>
<Meta><Format xmlns="syncml:metinf">xml</Format></Meta>
<Data><Inventory Output="PackageNames|RequiresReinstall" Source="nonStore" PackageTypeFilter="Main" /></Data>
</Item>
</Replace>
```
<a href="" id="appmanagement-removepackage"></a>**AppManagement/RemovePackage**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Used to remove packages.
<p style="margin-left: 20px">Parameters:
<ul>
<li>Package
<ul>
<li>Name: Specifies the PackageFullName of the particular package to remove.</li>
<li>RemoveForAllUsers:
<ul>
<li>0 (default) Package will be un-provisioned so that new users do not receive the package. The package will remain installed for current users.</li>
<li>1 Package will be removed for all users.</li>
</ul>
</li>
</ul>
</li>
<li>User (optional): Specifies the SID of the particular user for whom to remove the package; only the package for the specified user can be removed. Not required for ./User/Vendor/MSFT.</li>
</ul>
<p style="margin-left: 20px">Supported operation is Execute.
<p style="margin-left: 20px">The following example removes a package for the specified user:
```XML
<Exec>
<CmdID>10</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/RemovePackage</LocURI>
</Target>
<Meta><Format xmlns="syncml:metinf">xml</Format></Meta>
<Data>
<Package Name= "{PackageFullName}"/>
</Data>
</Item>
</Exec>
```
<p style="margin-left: 20px">The following example removes a package for all users:
````XML
<Exec>
<CmdID>10</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/RemovePackage</LocURI>
</Target>
<Meta><Format xmlns="syncml:metinf">xml</Format></Meta>
<Data>
<Package Name="{PackageFullName}" RemoveForAllUsers=1 />
</Data>
</Item>
</Exec>
````
<a href="" id="appmanagement-nonstore"></a>**AppManagement/nonStore**
<p style="margin-left: 20px">Used to manage enterprise apps or developer apps that were not acquired from the Windows Store.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="appmanagement-system"></a>**AppManagement/System**
<p style="margin-left: 20px">Reports apps installed as part of the operating system.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="appmanagement-appstore"></a>**AppManagement/AppStore**
<p style="margin-left: 20px">Required. Used for managing apps from the Windows Store.
<p style="margin-left: 20px">Supported operations are Get and Delete.
<a href="" id="----packagefamilyname"></a>**.../****_PackageFamilyName_**
<p style="margin-left: 20px">Optional. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
<p style="margin-left: 20px">Supported operations are Get and Delete.
> [!Note]
> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
<p style="margin-left: 20px">Here's an example for uninstalling an app:
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<!-- Uninstall app -->
<delete>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/%7b12345678-9012-3456-7890-123456789012%7D</LocURI>
</Target>
</Item>
</delete>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="----packagefamilyname-packagefullname"></a>**.../*PackageFamilyName*/****_PackageFullName_**
<p style="margin-left: 20px">Optional. Full name of the package installed.
<p style="margin-left: 20px">Supported operations are Get and Delete.
> [!Note]
> XAP files use a product ID in place of PackageFullName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
 
<a href="" id="----packagefamilyname-packagefullname-name"></a>**.../*PackageFamilyName*/*PackageFullName*/Name**
<p style="margin-left: 20px">Required. Name of the app. Value type is string.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-version"></a>**.../*PackageFamilyName*/*PackageFullName*/Version**
<p style="margin-left: 20px">Required. Version of the app. Value type is string.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-publisher"></a>**.../*PackageFamilyName*/*PackageFullName*/Publisher**
<p style="margin-left: 20px">Required. Publisher name of the app. Value type is string.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-architecture"></a>**.../*PackageFamilyName*/*PackageFullName*/Architecture**
<p style="margin-left: 20px">Required. Architecture of installed package. Value type is string.
> [!Note]
> Not applicable to XAP files.
 
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-installlocation"></a>**.../*PackageFamilyName*/*PackageFullName*/InstallLocation**
<p style="margin-left: 20px">Required. Install location of the app on the device. Value type is string.
> [!Note]
> Not applicable to XAP files.
 
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-isframework"></a>**.../*PackageFamilyName*/*PackageFullName*/IsFramework**
<p style="margin-left: 20px">Required. Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases.
> [!Note]
> Not applicable to XAP files.
 
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-isbundle"></a>**.../*PackageFamilyName*/*PackageFullName*/IsBundle**
<p style="margin-left: 20px">Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-installdate"></a>**.../*PackageFamilyName*/*PackageFullName*/InstallDate**
<p style="margin-left: 20px">Required. Date the app was installed. Value type is string.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-resourceid"></a>**.../*PackageFamilyName*/*PackageFullName*/ResourceID**
<p style="margin-left: 20px">Required. Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. Value type is string.
> [!Note]
> Not applicable to XAP files.
 
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-packagestatus"></a>**.../*PackageFamilyName*/*PackageFullName*/PackageStatus**
<p style="margin-left: 20px">Required. Provides information about the status of the package. Value type is int. Valid values are:
- OK (0) - The package is usable.
- LicenseIssue (1) - The license of the package is not valid.
- Modified (2) - The package payload was modified by an unknown source.
- Tampered (4) - The package payload was tampered intentionally.
- Disabled (8) - The package is not available for use. It can still be serviced.
> [!Note]
> Not applicable to XAP files.
 
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-requiresreinstall"></a>**.../*PackageFamilyName*/*PackageFullName*/RequiresReinstall**
<p style="margin-left: 20px">Required. Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. Value type is int.
> [!Note]
> Not applicable to XAP files.
 
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-users"></a>**.../*PackageFamilyName*/*PackageFullName*/Users**
<p style="margin-left: 20px">Required. Registered users of the app. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-isprovisioned"></a>**.../*PackageFamilyName*/*PackageFullName*/IsProvisioned**
<p style="margin-left: 20px">Required. The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="----packagefamilyname-donotupdate"></a>**.../*PackageFamilyName*/DoNotUpdate**
<p style="margin-left: 20px">Required. Specifies whether you want to block a specific app from being updated via auto-updates.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="----packagefamilyname-appsettingpolicy---only-for---user-vendor-msft-"></a>**.../*PackageFamilyName*/AppSettingPolicy** (only for ./User/Vendor/MSFT)
<p style="margin-left: 20px">Added in Windows 10, version 1511. Interior node for all managed app setting values. This node is only supported in the user context.
<a href="" id="----packagefamilyname-appsettingpolicy-settingvalue---only-for---user-vendor-msft-"></a>**.../*PackageFamilyName*/AppSettingPolicy/****_SettingValue_** (only for ./User/Vendor/MSFT)
<p style="margin-left: 20px">Added in Windows 10, version 1511. The *SettingValue* and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container.
<p style="margin-left: 20px">This setting only works for apps that support the feature and it is only supported in the user context.
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.
<p style="margin-left: 20px">The following example sets the value for the 'Server'
``` syntax
<!— Configure app settings -->
<Add>
<CmdID>0</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/AppSettingPolicy/Server</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>server1.contoso.com</Data>
</Item>
</Add>
```
<p style="margin-left: 20px">The following example gets all managed app settings for a specific app.
``` syntax
<!—Get app settings -->
<Get>
<CmdID>0</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/AppSettingPolicy?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
<a href="" id="appinstallation"></a>**AppInstallation**
<p style="margin-left: 20px">Required node. Used to perform app installation.
<a href="" id="appinstallation-packagefamilyname"></a>**AppInstallation/****_PackageFamilyName_**
<p style="margin-left: 20px">Optional node. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
<p style="margin-left: 20px">Supported operations are Get and Add.
> [!Note]
> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
 
<a href="" id="appinstallation-packagefamilyname-storeinstall"></a>**AppInstallation/*PackageFamilyName*/StoreInstall**
<p style="margin-left: 20px">Required. Command to perform an install of an app and a license from the Windows Store.
<p style="margin-left: 20px">Supported operation is Execute, Add, Delete, and Get.
<a href="" id="appinstallation-packagefamilyname-hostedinstall"></a>**AppInstallation/*PackageFamilyName*/HostedInstall**
<p style="margin-left: 20px">Required. Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source).
<p style="margin-left: 20px">Supported operation is Execute, Add, Delete, and Get.
<a href="" id="appinstallation-packagefamilyname-lasterror"></a>**AppInstallation/*PackageFamilyName*/LastError**
<p style="margin-left: 20px">Required. Last error relating to the app installation.
<p style="margin-left: 20px">Supported operation is Get.
> [!Note]
> This element is not present after the app is installed.
 
<a href="" id="appinstallation-packagefamilyname-lasterrordescription"></a>**AppInstallation/*PackageFamilyName*/LastErrorDescription**
<p style="margin-left: 20px">Required. Description of last error relating to the app installation.
<p style="margin-left: 20px">Supported operation is Get.
> [!Note]
> This element is not present after the app is installed.
 
<a href="" id="appinstallation-packagefamilyname-status"></a>**AppInstallation/*PackageFamilyName*/Status**
<p style="margin-left: 20px">Required. Status of app installation. The following values are returned:
- NOT\_INSTALLED (0) - The node was added, but the execution has not completed.
- INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success, this value is updated.
- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear.
<p style="margin-left: 20px">Supported operation is Get.
> [!Note]
> This element is not present after the app is installed.
 
<a href="" id="appinstallation-packagefamilyname-progessstatus"></a>**AppInstallation/*PackageFamilyName*/ProgessStatus**
<p style="margin-left: 20px">Required. An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero).
<p style="margin-left: 20px">Supported operation is Get.
> [!Note]
> This element is not present after the app is installed.
 
<a href="" id="applicenses"></a>**AppLicenses**
<p style="margin-left: 20px">Required node. Used to manage licenses for app scenarios.
<a href="" id="applicenses-storelicenses"></a>**AppLicenses/StoreLicenses**
<p style="margin-left: 20px">Required node. Used to manage licenses for store apps.
<a href="" id="applicenses-storelicenses-licenseid"></a>**AppLicenses/StoreLicenses/****_LicenseID_**
<p style="margin-left: 20px">Optional node. License ID for a store installed app. The license ID is generally the PFN of the app.
<p style="margin-left: 20px">Supported operations are Add, Get, and Delete.
<a href="" id="applicenses-storelicenses-licenseid-licensecategory"></a>**AppLicenses/StoreLicenses/*LicenseID*/LicenseCategory**
<p style="margin-left: 20px">Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid value:
- Unknown - unknown license category
- Retail - license sold through retail channels, typically from the Windows Store
- Enterprise - license sold through the enterprise sales channel, typically from the Store for Business
- OEM - license issued to an OEM
- Developer - developer license, typically installed during the app development or side-loading scernarios.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="applicenses-storelicenses-licenseid-licenseusage"></a>**AppLicenses/StoreLicenses/*LicenseID*/LicenseUsage**
<p style="margin-left: 20px">Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values:
- Unknown - usage is unknown
- Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time.
- Offline - license is valid for use offline. You don't need a connection to the internet to use this license.
- Enterprise Root -
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="applicenses-storelicenses-licenseid-requesterid"></a>**AppLicenses/StoreLicenses/*LicenseID*/RequesterID**
<p style="margin-left: 20px">Added in Windows 10, version 1511. Required. Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="applicenses-storelicenses-licenseid-addlicense"></a>**AppLicenses/StoreLicenses/*LicenseID*/AddLicense**
<p style="margin-left: 20px">Required. Command to add license.
<p style="margin-left: 20px">Supported operation is Execute.
<a href="" id="applicenses-storelicenses-licenseid-getlicensefromstore"></a>**AppLicenses/StoreLicenses/*LicenseID*/GetLicenseFromStore**
<p style="margin-left: 20px">Added in Windows 10, version 1511. Required. Command to get license from the store.
<p style="margin-left: 20px">Supported operation is Execute.
## Examples
<p style="margin-left: 20px">For examples of how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md).
<p style="margin-left: 20px">Query the device for a specific app subcategory, such as nonStore apps.
``` syntax
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore</LocURI>
</Target>
</Item>
</Get>
```
<p style="margin-left: 20px">The result contains a list of apps, such as &lt;Data&gt;App1/App2/App3&lt;/Data&gt;.
<p style="margin-left: 20px">Subsequent query for a specific app for its properties.
``` syntax
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/App1?list=StructData</LocURI>
</Target>
</Item>
</Get>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/App2?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

923
windows/client-management/mdm/enterprisemodernappmanagement-ddf.md Normal file
View File

@ -0,0 +1,923 @@
---
title: EnterpriseModernAppManagement DDF
description: EnterpriseModernAppManagement DDF
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid:
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseModernAppManagement DDF
This topic shows the OMA DM device description framework (DDF) for the **EnterpriseModernAppManagement** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>EnterpriseModernAppManagement</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>AppManagement</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<OneOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>EnterpriseID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>PackageFamilyName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>PackageFullName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Name</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Version</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Publisher</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Architecture</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>InstallLocation</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsFramework</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsBundle</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>InstallDate</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ResourceID</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PackageStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RequiresReinstall</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Users</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsProvisioned</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>DoNotUpdate</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>DoNotUpdate</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AppSettingPolicy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>SettingValue</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>UpdateScan</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LastScanError</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AppInventoryResults</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AppInventoryQuery</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RemovePackage</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>AppInstallation</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>PackageFamilyName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>StoreInstall</NodeName>
<DFProperties>
<AccessType>
<Exec />
<Add />
<Delete />
<Get />
</AccessType>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>HostedInstall</NodeName>
<DFProperties>
<AccessType>
<Exec />
<Add />
<Delete />
<Get />
</AccessType>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LastError</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LastErrorDesc</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ProgressStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>AppLicenses</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>StoreLicenses</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>LicenseID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>LicenseCategory</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LicenseUsage</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RequesterID</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AddLicense</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>GetLicenseFromStore</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
 
 

59
windows/client-management/mdm/enterprisemodernappmanagement-xsd.md Normal file
View File

@ -0,0 +1,59 @@
---
title: EnterpriseModernAppManagement XSD
description: Here is the XSD for the application parameters.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: D393D094-25E5-4E66-A60F-B59CC312BF57
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# EnterpriseModernAppManagement XSD
Here is the XSD for the application parameters.
``` syntax
<?xml version="1.0" encoding="utf-16"?>
<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="Data">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="1" name="Application">
<xs:complexType mixed="true">
<xs:sequence minOccurs="0">
<xs:element name="Dependencies">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Dependency">
<xs:complexType>
<xs:attribute name="PackageUri" type="xs:string" use="required" />
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="DeploymentOptions" type="xs:unsignedByte" use="optional" />
<xs:attribute name="PackageUri" type="xs:string" use="required" />
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
```
 
 

647
windows/client-management/mdm/federated-authentication-device-enrollment.md Normal file
View File

@ -0,0 +1,647 @@
---
title: Federated authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using federated authentication policy.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 049ECA6E-1AF5-4CB2-8F1C-A5F22D722DAA
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Federated authentication device enrollment
This section provides an example of the mobile device enrollment protocol using federated authentication policy. When the authentication policy is set to Federated, the web authentication broker is leveraged by the enrollment client to get a security token. The enrollment client calls the web authentication broker API within the response message to start the process. The server should build the web authentication broker pages to fit the device screen and should be consistent with the existing enrollment UI. The opaque security token that is returned from the broker as an end page is used by the enrollment client as the device security secret during the client certificate request call.
The &lt;AuthenticationServiceURL&gt; element the discovery response message specifies web authentication broker page start URL.
For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
## In this topic
[Discovery service](#discovery-service)
[Enrollment policy web service](#enrollment-policy-web-service)
[Enrollment web service](#enrollment-web-service)
For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
## Discovery service
The discovery web service provides the configuration information necessary for a user to enroll a phone with a management service. The service is a restful web service over HTTPS (server authentication only).
> **Note**  The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
 
The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http:<span></span>//enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc
The first request is a standard HTTP GET request.
The following example shows a request via HTTP GET to the discovery server given user@contoso.com as the email address.
```
Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc
Content Type: unknown
Header Byte Count: 153
Body Byte Count: 0
```
```
GET /EnrollmentServer/Discovery.svc HTTP/1.1
User-Agent: Windows Phone 8 Enrollment Client
Host: EnterpriseEnrollment.contoso.com
Pragma: no-cache
```
```
Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc
Content Type: text/html
Header Byte Count: 248
Body Byte Count: 0
```
```
HTTP/1.1 200 OK
Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 0
```
After the device gets a response from the server, the device sends a POST request to enterpriseenrollment.*domain\_name*/EnrollmentServer/Discovery.svc. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to enterpriseenrollment.*domain\_name* to the enrollment server.
The following logic is applied:
1. The device first tries HTTPS. If the server cert is not trusted by the device, the HTTPS fails.
2. If that fails, the device tries HTTP to see whether it is redirected:
- If the device is not redirected, it prompts the user for the server address.
- If the device is redirected, it prompts the user to allow the redirect.
The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address
```
https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc
```
The following example shows the discovery service request.
``` syntax
<?xml version="1.0"?>
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover
</a:Action>
<a:MessageID>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc
</a:To>
</s:Header>
<s:Body>
<Discover xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment/">
<request xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<EmailAddress>user@contoso.com</EmailAddress>
<OSEdition>3</OSEdition> <!--New -->
<RequestVersion>3.0</RequestVersion> <!-- Updated -->
<DeviceType>WindowsPhone</DeviceType> <!--Updated -->
<ApplicationVersion>10.0.0.0</ApplicationVersion>
<AuthPolicies>
<AuthPolicy>OnPremise</AuthPolicy>
<AuthPolicy>Federated</AuthPolicy>
</AuthPolicies>
</request>
</Discover>
</s:Body>
```
The discovery response is in the XML format and includes the following fields:
- Enrollment service URL (EnrollmentServiceUrl) Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory.
- Authentication policy (AuthPolicy) Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
- In Windows, Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
 
When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be leveraged by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call.
> **Note**  Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance:
> - Parse the OS version from the data sent up during the discovery request.
> - Append the OS version as a parameter in the AuthenticationServiceURL.
> - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication.
 
A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist.
> **Note**  The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented.
 
The following are the explicit requirements for the server.
- The &lt;DiscoveryResponse&gt;&lt;AuthenticationServiceUrl&gt; element must support HTTPS.
- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail.
- WP doesnt support Window Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device.
The enrollment client issues an HTTPS request as follows:
```
AuthenticationServiceUrl?appru=<appid>&amp;login_hint=<User Principal Name>
```
- &lt;appid&gt; is of the form ms-app://string
- &lt;User Principal Name&gt; is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication.
After authentication is complete, the auth server should return an HTML form document with a POST method action of appid identified in the query string parameter.
```
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 556
<!DOCTYPE>
<html>
<head>
<title>Working...</title>
<script>
function formSubmit() {
document.forms[0].submit();
}
window.onload=formSubmit;
</script>
</head>
<body>
<!-- appid below in post command must be same as appid in previous client https request. -->
<form method="post" action="ms-app://appid">
<p><input type="hidden" name="wresult" value="token value"/></p>
<input type="submit"/>
</form>
</body>
</html>
```
The server has to send a POST to a redirect URL of the form ms-app://string (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary" contained in the &lt;wsse:BinarySecurityToken&gt; EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form it is just HTML encoded. This string is opaque to the enrollment client; the client does not interpret the string.
The following example shows a response received from the discovery web service which requires authentication via WAB.
``` syntax
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse
</a:Action>
<ActivityId>
d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8
</ActivityId>
<a:RelatesTo>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:RelatesTo>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<DiscoverResponse
xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment">
<DiscoverResult>
<AuthPolicy>Federated</AuthPolicy>
<EnrollmentVersion>3.0</EnrollmentVersion>
<EnrollmentPolicyServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentPolicyServiceUrl>
<EnrollmentServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentServiceUrl>
<AuthenticationServiceUrl>
https://portal.manage.contoso.com/LoginRedirect.aspx
</AuthenticationServiceUrl>
</DiscoverResult>
</DiscoverResponse>
</s:Body>
</s:Envelope>
```
## Enrollment policy web service
Policy service is optional. By default, if no policies are specified, the minimum key length is 2k and the hash algorithm is SHA-1.
This web service implements the X.509 Certificate Enrollment Policy Protocol (MS-XCEP) specification that allows customizing certificate enrollment to match different security needs of enterprises at different times (cryptographic agility). The service processes the GetPolicies message from the client, authenticates the client, and returns matching enrollment policies in the GetPoliciesResponse message.
For Federated authentication policy, The security token credential is provided in a request message using the &lt;wsse:BinarySecurityToken&gt; element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows:
- wsse:Security: The enrollment client implements the &lt;wsse:Security&gt; element defined in \[WSS\] section 5. The &lt;wsse:Security&gt; element must be a child of the &lt;s:Header&gt; element.
- wsse:BinarySecurityToken: The enrollment client implements the &lt;wsse:BinarySecurityToken&gt; element defined in \[WSS\] section 6.3. The &lt;wsse:BinarySecurityToken&gt; element must be included as a child of the &lt;wsse:Security&gt; element in the SOAP header.
As was described in the discovery response section, the inclusion of the &lt;wsse:BinarySecurityToken&gt; element is opaque to the enrollment client, and the client does not interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the &lt;AuthenticationServiceUrl&gt; element of &lt;DiscoveryResponse&gt; and the enterprise server.
The &lt;wsse:BinarySecurityToken&gt; element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the &lt;wsse:BinarySecurityToken&gt; element. wsse:BinarySecurityToken/attributes/ValueType: The &lt;wsse:BinarySecurityToken&gt; ValueType attribute must be "http:<span></span>//schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken".
wsse:BinarySecurityToken/attributes/EncodingType: The &lt;wsse:BinarySecurityToken&gt; EncodingType attribute must be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary".
The following is an enrollment policy request example with a received security token as client credential.
``` syntax
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies
</a:Action>
<a:MessageID>urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To>
<wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken ValueType=
"http: //schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken"
EncodingType=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken>
</wsse:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetPolicies
xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
<client>
<lastUpdate xsi:nil="true"/>
<preferredLanguage xsi:nil="true"/>
</client>
<requestFilter xsi:nil="true"/>
</GetPolicies>
</s:Body>
</s:Envelope>
```
After the user is authenticated, the web service retrieves the certificate template that the user should enroll with and creates enrollment policies based on the certificate template properties. A sample of the response can be found on MSDN.
MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. For Windows device, we will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms.
> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
 
The following snippet shows the policy web service response.
``` syntax
<s:Envelope
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse
</a:Action>
<a:RelatesTo>urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598</a:RelatesTo>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetPoliciesResponse
xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
<response>
<policyID />
<policyFriendlyName xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<nextUpdateHours xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<policiesNotChanged xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<policies>
<policy>
<policyOIDReference>0</policyOIDReference>
<cAs xsi:nil="true" />
<attributes>
<commonName>CEPUnitTest</commonName>
<policySchema>3</policySchema>
<certificateValidity>
<validityPeriodSeconds>1209600</validityPeriodSeconds>
<renewalPeriodSeconds>172800</renewalPeriodSeconds>
</certificateValidity>
<permission>
<enroll>true</enroll>
<autoEnroll>false</autoEnroll>
</permission>
<privateKeyAttributes>
<minimalKeyLength>2048</minimalKeyLength>
<keySpec xsi:nil="true" />
<keyUsageProperty xsi:nil="true" />
<permissions xsi:nil="true" />
<algorithmOIDReference xsi:nil="true" />
<cryptoProviders xsi:nil="true" />
</privateKeyAttributes>
<revision>
<majorRevision>101</majorRevision>
<minorRevision>0</minorRevision>
</revision>
<supersededPolicies xsi:nil="true" />
<privateKeyFlags xsi:nil="true" />
<subjectNameFlags xsi:nil="true" />
<enrollmentFlags xsi:nil="true" />
<generalFlags xsi:nil="true" />
<hashAlgorithmOIDReference>0</hashAlgorithmOIDReference>
<rARequirements xsi:nil="true" />
<keyArchivalAttributes xsi:nil="true" />
<extensions xsi:nil="true" />
</attributes>
</policy>
</policies>
</response>
<cAs xsi:nil="true" />
<oIDs>
<oID>
<value>1.3.14.3.2.29</value>
<group>1</group>
<oIDReferenceID>0</oIDReferenceID>
<defaultName>szOID_OIWSEC_sha1RSASign</defaultName>
</oID>
</oIDs>
</GetPoliciesResponse>
</s:Body>
</s:Envelope>
```
## Enrollment web service
This web service implements the MS-WSTEP protocol. It processes the RequestSecurityToken (RST) message from the client, authenticates the client, requests the certificate from the CA, and returns it in the RequestSecurityTokenResponse (RSTR) to the client. Besides the issued certificate, the response also contains configurations needed to provision the DM client.
The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on match the certificate template), the client can enroll successfully.
Note that the RequestSecurityToken will use a custom TokenType (http:<span></span>//schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section.
The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration.
> **Note**  The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
 
The following example shows the enrollment web service request for federated authentication.
``` syntax
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep
</a:Action>
<a:MessageID>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To>
<wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken wsse:ValueType=
"http:"//schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken
wsse:EncodingType=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
>
B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken>
</wsse:Security>
</s:Header>
<s:Body>
<wst:RequestSecurityToken>
<wst:TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</wst:TokenType>
<wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
</wst:RequestType>
<wsse:BinarySecurityToken
ValueType="http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">
DER format PKCS#10 certificate request in Base64 encoding Insterted Here
</wsse:BinarySecurityToken>
<ac:AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<ac:ContextItem Name="OSEdition">
<ac:Value> 4</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="OSVersion">
<ac:Value>10.0.9999.0</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="DeviceName">
<ac:Value>MY_WINDOWS_DEVICE</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="MAC">
<ac:Value>FF:FF:FF:FF:FF:FF</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="MAC">
<ac:Value>CC:CC:CC:CC:CC:CC</ac:Value>
<ac:ContextItem Name="IMEI">
<ac:Value>49015420323756</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="IMEI">
<ac:Value>30215420323756</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="EnrollmentType">
<ac:Value>Full</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="DeviceType">
<ac:Value>CIMClient_Windows</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="ApplicationVersion">
<ac:Value>10.0.9999.0</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="DeviceID">
<ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="TargetedUserLoggedIn">
<ac:Value>True</ac:Value>
</ac:ContextItem>
</ac:AdditionalContext>
</wst:RequestSecurityToken>
</s:Body>
```
After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR).
> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
 
Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (http:<span></span>//schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc), because the token is more than an X.509 v3 certificate.
The provisioning XML contains:
- The requested certificates (required)
- The DM client configuration (required)
The client will install the client certificate, the enterprise root certificate, and intermediate CA certificate if there is one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DM client calls back to the server.
Enrollment provisioning XML should contain a maximum of one root certificate and one intermediate CA certificate that is needed to chain up the MDM client certificate. Additional root and intermediate CA certificates could be provisioned during an OMA DM session.
When provisioning root and intermediate CA certificates, the supported CSP node path is: CertificateStore/Root/System for root certificate provisioning, CertificateStore/My/User for intermediate CA certificate provisioning.
Here is a sample RSTR message and a sample of OMA client provisioning XML within RSTR. For more information about the configuration service providers (CSPs) used in provisioning XML, see the Enterprise settings, policies and app management section.
The following example shows the enrollment web service response.
``` syntax
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1" >
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep
</a:Action>
<a:RelatesTo>urn:uuid:81a5419a-496b-474f-a627-5cdd33eed8ab</a:RelatesTo>
<o:Security s:mustUnderstand="1" xmlns:o=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2012-08-02T00:32:59.420Z</u:Created>
<u:Expires>2012-08-02T00:37:59.420Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<RequestSecurityTokenResponse>
<TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</TokenType>
<DispositionMessage xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"/> <RequestedSecurityToken>
<BinarySecurityToken
ValueType=
"http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc"
EncodingType=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken
</BinarySecurityToken>
</RequestedSecurityToken>
<RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0
</RequestID>
</RequestSecurityTokenResponse>
</RequestSecurityTokenResponseCollection>
</s:Body>
</s:Envelope>
```
The following code shows sample provisioning XML (presented in the preceding package as a security token):
```
<wap-provisioningdoc version="1.1">
<characteristic type="CertificateStore">
<characteristic type="Root">
<characteristic type="System">
<characteristic type="031336C933CC7E228B88880D78824FB2909A0A2F">
<parm name="EncodedCertificate" value="B64 encoded cert insert here" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="CertificateStore">
<characteristic type="My" >
<characteristic type="User">
<characteristic type="F9A4F20FC50D990FDD0E3DB9AFCBF401818D5462">
<parm name="EncodedCertificate" value="B64EncodedCertInsertedHere" />
</characteristic>
<characteristic type="PrivateKeyContainer"/>
<!-- This tag must be present for XML syntax correctness. -->
</characteristic>
<characteristic type="WSTEP">
<characteristic type="Renew">
<!—If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. -->
<parm name="ROBOSupport" value="true" datatype="boolean"/>
<parm name="RenewPeriod" value="60" datatype="integer"/>
<parm name="RetryInterval" value="4" datatype="integer"/>
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="APPLICATION">
<parm name="APPID" value="w7"/>
<parm name="PROVIDER-ID" value="TestMDMServer"/>
<parm name="NAME" value="Microsoft"/>
<parm name="ADDR" value="https://DM.contoso.com:443/omadm/Windows.ashx"/>
<parm name="CONNRETRYFREQ" value="6" />
<parm name="INITIALBACKOFFTIME" value="30000" />
<parm name="MAXBACKOFFTIME" value="120000" />
<parm name="BACKCOMPATRETRYDISABLED" />
<parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" />
<parm name="SSLCLIENTCERTSEARCHCRITERIA" value=
"Subject=DC%3dcom%2cDC%3dmicrosoft%2cCN%3dUsers%2cCN%3dAdministrator&amp;amp;Stores=My%5CUser"/>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="CLIENT"/>
<parm name="AAUTHTYPE" value="DIGEST"/>
<parm name="AAUTHSECRET" value="password1"/>
<parm name="AAUTHDATA" value="B64encodedBinaryNonceInsertedHere"/>
</characteristic>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="APPSRV"/>
<parm name="AAUTHTYPE" value="BASIC"/>
<parm name="AAUTHNAME" value="testclient"/>
<parm name="AAUTHSECRET" value="password2"/>
</characteristic>
</characteristic>
<characteristic type="DMClient"> <!-- In Windows 10, an enrollment server should use DMClient CSP XML to configure DM polling schedules. -->
<characteristic type="Provider">
<!-- ProviderID in DMClient CSP must match to PROVIDER-ID in w7 APPLICATION characteristics -->
<characteristic type="TestMDMServer">
<parm name="UPN" value="UserPrincipalName@contoso.com" datatype="string" />
<characteristic type="Poll">
<parm name="NumberOfFirstRetries" value="8" datatype="integer" />
<parm name="IntervalForFirstSetOfRetries" value="15" datatype="integer" />
<parm name="NumberOfSecondRetries" value="5" datatype="integer" />
<parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
<parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedules retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
<parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" />
<parm name="PollOnLogin" value="true" datatype="boolean" />
</characteristic>
<parm name="EntDeviceName" value="Administrator_Windows" datatype="string" />
</characteristic>
</characteristic>
</characteristic>
<!-- For Windows 10, we removed EnterpriseAppManagement from the enrollment
protocol. -->
</wap-provisioningdoc>
```
**Notes**
- &lt;Parm name&gt; and &lt;characteristic type=&gt; elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase.
- In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML.
- Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document.
- The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique.
- Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate.
- CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it.
 

114
windows/client-management/mdm/filesystem-csp.md Normal file
View File

@ -0,0 +1,114 @@
---
title: FileSystem CSP
description: FileSystem CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 9117ee16-ca7a-4efa-9270-c9ac8547e541
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# FileSystem CSP
The FileSystem configuration service provider is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device. It can retrieve information about or manage files in ROM, files in persistent store and files on any removable storage card that is present in the device. It works for files that are hidden from the user as well as those that are visible to the user.
> **Note**  FileSystem CSP is only supported in Windows 10 Mobile.
 
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
 
The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
![filesystem csp (dm)](images/provisioning-csp-filesystem-dm.png)
<a href="" id="filesystem"></a>**FileSystem**
Required. Defines the root of the file system management object. It functions as the root directory for file system queries.
Recursive queries or deletes are not supported for this element. Add commands will add a new file or directory under the root path.
The following properties are supported for the root node:
- `Name`: The root node name. The Get command is the only supported command.
- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command.
- `Format`: The format, which is `node`. The Get command is the only supported command.
- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
- `Size`: Not supported.
- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command.
<a href="" id="file-directory"></a>***file directory***
Optional. Returns the name of a directory in the device file system. Any *file directory* element can contain directories and files as child elements.
The Get command returns the name of the file directory. The Get command with `?List=Struct` will recursively return all child element names (including sub-directory names). The Get command with `?list=StructData` query is not supported and returns a 406 error code.
The Add command is used to create a new directory. Adding a new directory under the file system root is not supported and returns a 405 error code.
The Replace command is not supported.
The Delete command is used to delete all files and subfolders under this *file directory*.
The following properties are supported for file directories:
- `Name`: The file directory name. The Get command is the only supported command.
- `Type`: The MIME type of the file, which an empty string for directories that are not the root node. The Get command is the only supported command.
- `Format`: The format, which is `node`. The Get command is the only supported command.
- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
- `Size`: Not supported.
- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command.
<a href="" id="file-name"></a>***file name***
Optional. Return a file in binary format. If the file is too large for the configuration service to return, it returns error code 413 (Request entity too large) instead.
The Delete command deletes the file.
The Replace command updates an entire file with new file contents.
The Add command adds the file to the file directory
The Get command is not supported on a *file name* element, only on the properties of the element.
The following properties are supported for files:
- `Name`: The file name. The Get command is the only supported command.
- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command.
- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over wbxml. The Get command is the only supported command.
- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
- `Size`: The unencoded file content size in bytes. The Get command is the only supported command.
- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

174
windows/client-management/mdm/get-inventory.md Normal file
View File

@ -0,0 +1,174 @@
---
title: Get Inventory
description: The Get Inventory operation retrieves information from the Windows Store for Business to determine if new or updated applications are available.
MS-HAID:
- 'p\_phdevicemgmt.get\_seatblock'
- 'p\_phDeviceMgmt.get\_inventory'
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: C5485722-FC49-4358-A097-74169B204E74
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Get Inventory
The **Get Inventory** operation retrieves information from the Windows Store for Business to determine if new or updated applications are available.
## Request
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Method</th>
<th>Request URI</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GET</p></td>
<td><p>https://bspmts.mp.microsoft.com/V1/Inventory?continuationToken={ContinuationToken}&amp;modifiedSince={ModifiedSince}&amp;licenseTypes={LicenseType}&amp;maxResults={MaxResults}</p></td>
</tr>
</tbody>
</table>
 
### URI parameters
The following parameters may be specified in the request URI.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Parameter</th>
<th>Type</th>
<th>Default value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>continuationToken</p></td>
<td><p>string</p></td>
<td><p>Null</p></td>
<td></td>
</tr>
<tr class="even">
<td><p>modifiedSince</p></td>
<td><p>datetime</p></td>
<td><p>Null</p></td>
<td><p>Optional. Used to determine changes since a specific date.</p></td>
</tr>
<tr class="odd">
<td><p>licenseTypes</p></td>
<td><p>collection of [LicenseType](data-structures-windows-store-for-business.md#licensetype)</p></td>
<td><p>{online,offline}</p></td>
<td><p>Optional. A collection of license types</p></td>
</tr>
<tr class="even">
<td><p>maxResults</p></td>
<td><p>integer-32</p></td>
<td><p>25</p></td>
<td><p>Optional. Specifies the maximum number of applications returned in a single query.</p></td>
</tr>
</tbody>
</table>
Here are some examples.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Query type</th>
<th>Example query</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Online and offline</p></td>
<td><p>https:<span></span>//bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=online&amp;licenseTypes=offline&amp;maxResults=25</p></td>
</tr>
<tr class="even">
<td><p>Online only</p></td>
<td><p>https:<span></span>//bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=online&amp;maxResults=25</p></td>
</tr>
<tr class="odd">
<td><p>Offline only</p></td>
<td><p>https:<span></span>//bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=offline&amp;maxResults=25</p></td>
</tr>
<tr class="even">
<td><p>Both license types and a time filter</p></td>
<td><p>https:<span></span>//bspmts.mp.microsoft.com/V1/Inventory?modifiedSince=2015-07-13T14%3a02%3a25.6863382-07%3a00&amp;licenseTypes=online&amp;licenseTypes=offline&amp;maxResults=25</p></td>
</tr>
</tbody>
</table>
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Error code</th>
<th>Description</th>
<th>Retry</th>
<th>Data field</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>400</p></td>
<td><p>Invalid parameters</p></td>
<td><p>No</p></td>
<td><p>Parameter name</p>
<p>Invalid modified date, license, or continuationToken</p>
<p>Details: String</p></td>
</tr>
</tbody>
</table>
## Response
### Response body
The response contains [InventoryResultSet](data-structures-windows-store-for-business.md#inventoryresultset).
 

Some files were not shown because too many files have changed in this diff Show More