From 1a13592a5b5a2d0f65f045bd8a3f62359d10b037 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Fri, 17 Feb 2023 17:09:31 -0500
Subject: [PATCH] RemoteLock CSP
---
.../client-management/mdm/remotelock-csp.md | 199 ++++++++++++++++++
.../mdm/remotelock-ddf-file.md | 149 +++++++++++++
windows/client-management/mdm/toc.yml | 5 +
3 files changed, 353 insertions(+)
create mode 100644 windows/client-management/mdm/remotelock-csp.md
create mode 100644 windows/client-management/mdm/remotelock-ddf-file.md
diff --git a/windows/client-management/mdm/remotelock-csp.md b/windows/client-management/mdm/remotelock-csp.md
new file mode 100644
index 0000000000..3f7799438c
--- /dev/null
+++ b/windows/client-management/mdm/remotelock-csp.md
@@ -0,0 +1,199 @@
+---
+title: RemoteLock CSP
+description: Learn more about the RemoteLock CSP.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 02/17/2023
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+
+
+
+# RemoteLock CSP
+
+
+
+
+
+
+The following example shows the RemoteLock configuration service provider in tree format.
+
+```text
+./Device/Vendor/MSFT/RemoteLock
+--- Lock
+--- LockAndRecoverPIN
+--- LockAndResetPIN
+--- NewPINValue
+```
+
+
+
+## Lock
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RemoteLock/Lock
+```
+
+
+
+
+Required. The setting accepts requests to lock the device screen. The device screen will lock immediately if a PIN has been set. If no PIN is set, the lock request is ignored and the OMA DM (405) Forbidden error is returned over the management channel. All OMA DM errors are listed here in the protocol specification.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec, Get |
+
+
+
+
+
+
+
+
+
+## LockAndRecoverPIN
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RemoteLock/LockAndRecoverPIN
+```
+
+
+
+
+This setting performs a similar function to the LockAndResetPIN node. With LockAndResetPIN any Windows Hello keys associated with the PIN gets deleted, but with LockAndRecoverPIN those keys are saved. After the Exec operation is called successfully on this setting, the new PIN can be retrieved from the NewPINValue setting. The previous PIN will no longer work. Executing this node requires a ticket from the Microsoft credential reset service. Additionally, the execution of this setting is only supported when the EnablePinRecovery policy is set on the client.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec, Get |
+
+
+
+
+
+
+
+
+
+## LockAndResetPIN
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RemoteLock/LockAndResetPIN
+```
+
+
+
+
+This setting can be used to lock and reset the PIN on the device. It is used in conjunction with the NewPINValue node. After the Exec operation is called successfully on this node, the previous PIN will no longer work and cannot be recovered.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec, Get |
+
+
+
+
+
+
+
+
+
+## NewPINValue
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/RemoteLock/NewPINValue
+```
+
+
+
+
+This setting contains the PIN after Exec has been called on /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin. If LockAndResetPIN or LockAndResetPIN has never been called, the value will be null. If Get is called on this node after a successful Exec call on /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin, then the new PIN will be provided. If another Get command is called on this node, the value will be null. If you need to reset the PIN again, then another LockAndResetPIN Exec can be communicated to the device to generate a new PIN. The PIN value will conform to the minimum PIN complexity requirements of the merged policies that are set on the device. If no PIN policy has been set on the device, the generated PIN will conform to the default policy of the device. A Get operation on this node must follow an Exec operation on the /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin node in the proper order and in the same SyncML message. The Sequence tag can be used to guarantee the order in which commands are processed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/remotelock-ddf-file.md b/windows/client-management/mdm/remotelock-ddf-file.md
new file mode 100644
index 0000000000..e3072a93ef
--- /dev/null
+++ b/windows/client-management/mdm/remotelock-ddf-file.md
@@ -0,0 +1,149 @@
+---
+title: RemoteLock DDF file
+description: View the XML file containing the device description framework (DDF) for the RemoteLock configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 02/17/2023
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+
+
+# RemoteLock DDF file
+
+The following XML file contains the device description framework (DDF) for the RemoteLock configuration service provider.
+
+```xml
+
+]>
+
+ 1.2
+
+
+
+ RemoteLock
+ ./Device/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ Lock
+
+
+
+
+
+ Required. The setting accepts requests to lock the device screen. The device screen will lock immediately if a PIN has been set. If no PIN is set, the lock request is ignored and the OMA DM (405) Forbidden error is returned over the management channel. All OMA DM errors are listed here in the protocol specification
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LockAndResetPIN
+
+
+
+
+
+ This setting can be used to lock and reset the PIN on the device. It is used in conjunction with the NewPINValue node. After the Exec operation is called successfully on this node, the previous PIN will no longer work and cannot be recovered.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LockAndRecoverPIN
+
+
+
+
+
+ This setting performs a similar function to the LockAndResetPIN node. With LockAndResetPIN any Windows Hello keys associated with the PIN gets deleted, but with LockAndRecoverPIN those keys are saved. After the Exec operation is called successfully on this setting, the new PIN can be retrieved from the NewPINValue setting. The previous PIN will no longer work. Executing this node requires a ticket from the Microsoft credential reset service. Additionally, the execution of this setting is only supported when the EnablePinRecovery policy is set on the client.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+
+
+ NewPINValue
+
+
+
+
+ This setting contains the PIN after Exec has been called on /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin. If LockAndResetPIN or LockAndResetPIN has never been called, the value will be null. If Get is called on this node after a successful Exec call on /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin, then the new PIN will be provided. If another Get command is called on this node, the value will be null. If you need to reset the PIN again, then another LockAndResetPIN Exec can be communicated to the device to generate a new PIN. The PIN value will conform to the minimum PIN complexity requirements of the merged policies that are set on the device. If no PIN policy has been set on the device, the generated PIN will conform to the default policy of the device. A Get operation on this node must follow an Exec operation on the /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin node in the proper order and in the same SyncML message. The Sequence tag can be used to guarantee the order in which commands are processed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Related articles
+
+[RemoteLock configuration service provider reference](remotelock-csp.md)
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 7811222f80..65d19347b2 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -830,6 +830,11 @@ items:
items:
- name: RemoteFind DDF file
href: remotefind-ddf-file.md
+ - name: RemoteLock
+ href: remotelock-csp.md
+ items:
+ - name: RemoteLock DDF file
+ href: remotelock-ddf-file.md
- name: RemoteWipe
href: remotewipe-csp.md
items: